Date: Wed, 29 Jul 1998 18:02:07 +1100 From: Dave Cottle Subject: ALERT: security hole in zen 2.5 client for NT 4.0 This was passed to Novell last week. here are the details: Situation: NT 4.0 Workstation Service Pack 3 ZEN Client 2.5 installed connecting to a NW 4.11 server Security Hole: using the WINHLP32.EXE function for providing help in the authentication boxes allows access to resources without authentication through the help program's file menu. Vulnerability: the security issue is only relevant on WinNT workstations, and only the latest version of the NetWare client (4.30.4.10) is vulnerable. I believe that the security hole would allow access on NT 3.5x with a slightly more convoluted approach also (see the HELP FILE link exploit below). Reproducibility: always Method: at the logon screen, or the locked workstation screen: press ctl-alt-del to open up the authentication box use either the ? in the top right-hand corner or press F1 to reveal the help program. Choose the file->open option to reveal the explorer common dialog box. Either open a help file that contains a link to cmd.exe (eg the WinNT resource kit help files) or right-click on a folder and select "open" to bring up a separate explorer window. Close down the help function. You will now have either a command prompt or an explorer window without having to enter a usercode or password. If the workstation is locked, you now have access to the current user's desktop, and shoud also be active as the SYSTEM account. If there was no logged-on user, you now have interactive access as the SYSTEM account. Effect: NT client security can be bypassed, without requiring a usercode or password. this allows access to current user if workstation was locked, or the SYSTEM account if no user is logged on. Cheers, Dave ----------------------------------------------------------------- A straight line may be the shortest distance between two points, but it is by no means the most interesting. -- Dr. Who ----------------------------------------------------------------- Dave Cottle Consultant Computer Services, Room 205 University of Canterbury d.cottle@csc.canterbury.ac.nz Tel. 366 7001 ext. 8319