"DashBar" can install as a restricted user!

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 04/27/04

• Next message: Steven L Umbach: "Re: Event ID 560 - IUSR Attempting to run MSPaint.exe"
• Previous message: Tienna Kim: "Re: Event ID 560 - IUSR Attempting to run MSPaint.exe"
• Next in thread: Gordon Fecyk: "[d'oh] Re: "DashBar""
• Reply: Gordon Fecyk: "[d'oh] Re: "DashBar""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 27 Apr 2004 16:34:41 -0500

I was testing a new software kit for a client of mine. The clients run
their software as restricted users on Windows 2000 Pro, where the servers
are NT4 in an NT4 domain.

Normally, Domain Users run as "users" (called "limited users" on XP and
"restricted users" on Win2K). On a whim I tried installing one of Gator's
little toys, Dashbar, as a limited user.

The web-based installation failed as I expected, but they had a lovely
"workaround" for that: Just download the .exe installer and run that.
Strangely enough, this thing not only managed to install itself, create a
directory in Program Files, and write a file into C:\WINNT\Temp (which is
normally read-only to restricted users) but managed to write to Registry
keys that wee clearly marked as Read-Only for restricted users.

I'm guessing that the installer's using some kind of exploit, such as
brute-forcing the administrator password (which is not blank and not easily
guessable), or somehow running as the SYSTEM user. I'm going to try this
again in a more controlled environment and turn auditing on to determine
what user account the thing's writing to these keys with.

Someone happen to know how a limited user can write to read-only portions of
a NTFS file system and the Registry in order to install stuff?

---

• Next message: Steven L Umbach: "Re: Event ID 560 - IUSR Attempting to run MSPaint.exe"
• Previous message: Tienna Kim: "Re: Event ID 560 - IUSR Attempting to run MSPaint.exe"
• Next in thread: Gordon Fecyk: "[d'oh] Re: "DashBar""
• Reply: Gordon Fecyk: "[d'oh] Re: "DashBar""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Simple way to how domain users log on as restricted users? ... restricted users, or is there more than this software install ... Some software will install as users for use by the ... machines using NTFS? ... >>This makes all members of Domain Users local restricted ... (microsoft.public.windowsxp.security_admin) Re: Setup question ... You can temporarily promote your restricted users to Admins to install ... don't want this user to be able to change any functions on their profile. ... (microsoft.public.windowsxp.general) RE: cant connect to network printers ... "Alpine1" wrote: ... > with XP clients and restricted Users but this problem does not happen with ... (microsoft.public.windowsxp.print_fax) Re: Install Permissions from WSUS ... | On all our client machines, the users are set to restricted users so they ... | also means that they cannot install any windows updates on their machines. ... (microsoft.public.windowsupdate)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)