Signature Detail

SNMP: Get Windows/NT User List

This signature detects attempts to get a user list by exploiting a trust relationship authentication vulnerability in Microsoft Windows NT. Local attackers can add an NT server to the network, create a trust relationship with the target NT server using a non-authenticated password, and gain access to the NT user list.

Extended Description

Trust relationships can be configured between domains controlled by Microsoft Windows 2000 and NT Server. These trust relationships allow for 'trusted domains' to access resources on 'trusting domains'. Windows 2000 and NT contain a vulnerability in this feature that may allow for an attacker with administrative privileges on a trusted domain to elevate privileges on any trusting domain. It is possible for a trusted domain to associate any SID (security identifier) with any security group in the trusting domain. A malicious administrator or an attacker who has obtained administrative privileges on a trusted domain may exploit this vulnerability to obtain control of the trusting domain. For example, a trusted domain may associate a local (within the trusted domain) user SID with the administrative security group on the trusting domain. The SID would then have the privileges of the administrative group within the trusting domain. It should be noted that it is difficult to exploit this vulnerability. Microsoft Windows 2000 and NT provide no facility or API allowing for modification of the authorization data required to exploit this vulnerability.

Affected Products

• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server
• Microsoft Windows NT Enterprise Server 4.0
• Microsoft Windows NT Enterprise Server 4.0 SP1
• Microsoft Windows NT Enterprise Server 4.0 SP2
• Microsoft Windows NT Enterprise Server 4.0 SP3
• Microsoft Windows NT Enterprise Server 4.0 SP4
• Microsoft Windows NT Enterprise Server 4.0 SP5
• Microsoft Windows NT Enterprise Server 4.0 SP6
• Microsoft Windows NT Enterprise Server 4.0 SP6a
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Server 4.0 SP1
• Microsoft Windows NT Server 4.0 SP2
• Microsoft Windows NT Server 4.0 SP3
• Microsoft Windows NT Server 4.0 SP4
• Microsoft Windows NT Server 4.0 SP5
• Microsoft Windows NT Server 4.0 SP6
• Microsoft Windows NT Server 4.0 SP6a
• Microsoft Windows NT Terminal Server 4.0
• Microsoft Windows NT Terminal Server 4.0 SP1
• Microsoft Windows NT Terminal Server 4.0 SP2
• Microsoft Windows NT Terminal Server 4.0 SP3
• Microsoft Windows NT Terminal Server 4.0 SP4
• Microsoft Windows NT Terminal Server 4.0 SP5
• Microsoft Windows NT Terminal Server 4.0 SP6

References

• BugTraq: 3997
• CVE: CVE-2002-0018
• URL: http://www.microsoft.com/technet/security/bulletin/MS02-001.mspx