Re: Win XP - Renaming administrator, possible vulnerability?

From: Mark Kahn - Lists (imail@cwolves.com)
Date: 10/24/02 

From: "Mark Kahn - Lists" <imail@cwolves.com>
To: <security-basics@security-focus.com>
Date: Thu, 24 Oct 2002 13:05:37 -0400

seems like a bug to me, even if the security risk isn't huge. windows xp
doesn't allow you to create a _new_ user with a name that already exists,
why should it allow you to rename a user to one that already exists?

-Mark

----- Original Message -----
From: "Jones, Bob" <JonesB@students.svcc.edu>
To: <security-basics@security-focus.com>
Sent: Wednesday, October 23, 2002 8:37 PM
Subject: Win XP - Renaming administrator, possible vulnerability?

> Greetings to all,
>
> I've noticed on my WinXP machines that if I rename an existing user to
> another name (doesn't matter what), and rename the Administrator account
to
> the former name of that user account. That I could log in to more than
one
> account with this name, simply depending upon which password was entered.
> Something is not right with this, but I'm not at a level to determine
> whether this can pose any kind of security vulnerability or not.
Microsoft
> says: "Since you must enter the password for the accounts then the system
> is operating by design." Is this just a strange bug?
>
> For example:
> Rename user account "user1" to "someone"
> rename administrator account "administrator" to "user1"
> Now with user1 entered in the login field, and user can enter either
> password to gain access to either account.
>
> Any thoughts/explanations/insights?
>
> Cheers!
>
> Bob Jones
>

Relevant Pages

  • [Full-Disclosure] Gmail anomaly
    ... This is not a security risk but a weirdness worth noting. ... it as a bug to gmail but im not sure if its a bug on their part it may ... If you open two gmail accounts in two different firebird/fox browsers ... Or if you send an e-mail with the second account, ...
    (Full-Disclosure)
  • Re: Win XP - Renaming administrator, possible vulnerability?
    ... > seems like a bug to me, even if the security risk isn't huge. ... But user1 doesn't exist after the rename to someone, ...
    (Security-Basics)
  • Dave Goldman help: rename AD user creates prob w autocomplete Outl
    ... When I rename an AD user account and Exchange Mailbox using the steps ... After renaming an Active Directory user account, the new user name and the ... I typed jwalter into Outlook, arrowed down, and deleted the name from the ... I rebuilt the Offline Address Book on the Exchange server and redownloaded ...
    (microsoft.public.exchange.admin)
  • RE: Dave Goldman help: rename AD user creates prob w autocomplete Outl
    ... To rename the account I followed the following steps: ... Then I went to the account properties and made sure that the new Display ... her mailbox name in the Mailbox store in Exchange had not ... I rebuilt the Offline Address Book on the Exchange server and redownloaded ...
    (microsoft.public.exchange.admin)
  • Re: Missing Folders in Documents & Settings for New Users
    ... I renamed the default administrator account <SNIP> I ... Settings folder name, and ProfileImagePath value. ... that you have decided to use, choose Rename, and rename the <user ...
    (microsoft.public.windowsxp.customize)
Loading