Everhart, Glenn (FUSA)
From:	Damien Buckley [Damien.Buckley@wang.co.nz]
Sent:	Wednesday, April 21, 1999 12:10 AM
To:	'ntsecurity@iss.net'
Subject:	[NTSEC] How To Gain Local Admin On NT

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Myself and a colleague have recently discovered an exploit with Windows NT
operating system where any user with access to read and write to the
system32 directory on Windows NT can become local admin.

To do this you should follow the following steps.

*	Go to WINNT\SYSTEM32 directory and rename logon.scr to logon.old.

*	Next select the usrmgr.exe file in the system32 root directory and
copy it to another directory and rename it to logon.scr

*	Then copy this logon.scr to the WINNT\SYSTEM32 Directory.

*	Next Log Off and wait for the logon screen saver to execute
(approximately 15 minutes). When this screen saver activates it will start
user manager as system which will give you the ability to add yourself to
the local administrator group.

If you purchase the NTFS reader and writer from sysinternals you can give
yourself local administrator privilege on any NT computer that you have
access to the console from, by performing the same steps as above.

If you can gain access to the domain controller you can give yourself domain
admin rights to the domain with the same procedure as above.


Damien
Jason