MW> To Whom it May Concern; MW> The Original Post is http://www.securityfocus.com/bid/11711
MW> On Windows XP all releases, when you replace, or change the MW> screensaver displayed on the login screen with a specially crafted MW> version designed to execute programs, those programs are launched MW> under the SYSTEM SID, IE: they are given automatically the highest MW> access level avalible to Windows. This level is not accessible even MW> to administrators.
MW> This flaw is important because while one would need Power User MW> privledges or above to change the Login Screensaver, by default, any MW> user with the exception of guest can replace the login screensaver MW> file with a modified version. In theory, any determined user could MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in MW> Win2K, but Microsoft has ignored it.
MW> Sincerly; MW> Matt Walker
i've used the technique on this page to rescue a windows 2000 domain controller's admin account since the pnordhal diskette won't help:
http://www.jms1.net/nt-unlock.html
similar instructions for windows 2003 are here:
http://www.nobodix.org/seb/win2003_adminpass.html
-d
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
