SNMP: Get Windows/NT User List

This signature detects attempts to get a user list by exploiting a trust relationship authentication vulnerability in Microsoft Windows NT. Local attackers can add an NT server to the network, create a trust relationship with the target NT server using a non-authenticated password, and gain access to the NT user list.

Extended Description

Trust relationships can be configured between domains controlled by Microsoft Windows 2000 and NT Server. These trust relationships allow for 'trusted domains' to access resources on 'trusting domains'. Windows 2000 and NT contain a vulnerability in this feature that may allow for an attacker with administrative privileges on a trusted domain to elevate privileges on any trusting domain. It is possible for a trusted domain to associate any SID (security identifier) with any security group in the trusting domain. A malicious administrator or an attacker who has obtained administrative privileges on a trusted domain may exploit this vulnerability to obtain control of the trusting domain. For example, a trusted domain may associate a local (within the trusted domain) user SID with the administrative security group on the trusting domain. The SID would then have the privileges of the administrative group within the trusting domain. It should be noted that it is difficult to exploit this vulnerability. Microsoft Windows 2000 and NT provide no facility or API allowing for modification of the authorization data required to exploit this vulnerability.

Affected Products

Microsoft windows_nt_terminal_server

References

BugTraq: 3997

CVE: CVE-2002-0018

URL: http://www.microsoft.com/technet/security/bulletin/MS02-001.mspx

Short Name

SCAN:MISC:USER-LIST

Severity

Info

Recommended

False

Recommended Action

None

SNMP: Get Windows/NT User List

Extended Description

Affected Products

References

Found a potential security threat?