COMMAND

    Gaining access with no access

SYSTEMS AFFECTED

    Win NT

PROBLEM

    David Litchfield has recently discovered  a way to gain access  to
    files / programs that you have been given "No Access" to on a NTFS
    volume.....this is quite convoluted but here's how its done:

    Let's say the Administrator has  given access to User Manager  for
    Domains (usrmgr.exe) to only members  of the Admins group and  has
    specifically given  no access  to everyone  else.   A domain  user
    called Johnny Cracker comes along and does the following. He edits
    the  blank.htm  file  in  the <drive>:winnt\system32 directory and
    inserts the following line :

	<A HREF="usrmgr.exe">User Manager</A>

    He  saves  the  file.  He  then  creates  another  htm file called
    access.htm with the following lines.....

    <SCRIPT LANGUAGE="JavaScript">
    <!--

    function Play_()

	    {
	    document.snd.play(false);
	    }


    // -->

    </SCRIPT>

    <EMBED SRC="drums.wav" NAME="snd" WIDTH="1" HEIGHT="2" MASTERSOUND>



    <A HREF="http://www.microsoft.com"OnMouseOver="window.status='Where do you want
    to go today?';return true">Microsoft's Homepage</A>

    <A HREF="http://www.ibm.com"OnMouseOver="window.status='International Business
    Machines';return true">IBM's Homepage</A>

    <IMG SRC="vikings.gif">

    He places this file on a web server....eg

	<A href="http://somehost/yourlogin/access.htm">http://somehost/yourlogin/access.htm</A>

    He also places a *.wav and a *.gif there too.  Then using IE  (ver
    3.02 - this may work with other versions) he connects to some site
    eg. www.yahoo.com.  Once this page has loaded he then connects  to
    his  access.htm  page  on  the  web  server...as soon as the pages
    starts opening  he clicks  on "back".   What happens  next is user
    manager opens up....that program he has no access to....(sometimes
    you have to fiddle with the "Stop" , "Refresh" and "Back"  buttons
    but usrmgr does eventually load).

    Now what's actually happening here?  When you look at the  running
    processes usrmgr.exe  is not  listed...even though  you've got  it
    open  on  the  screen...iexplore.exe  however  is a fat 7000k big.
    Around  3000k  bigger  than  normal.  When  you click on "Back" IE
    obviously gets confused, tries to open c:\winnt\system32\blank.htm
    and  ends  up  running  and  engulfing  usrmgr.exe.   When you run
    network monitor and look at what's happening when User manager  is
    loaded  the   computer  is   receiving  the   *.wav  file.....then
    immediately the computer  broadcasts a NetBIOS  query on UDP  port
    137...it does this a number  of times and eventually user  manager
    will  say  "can't  find  the  domain".   You  can then select your
    domain.  This was tested on NT Server 4.0 SP3.

SOLUTION

    Nothing yet, but one should try this scenario with IE4.