NT 4.0 Stupid default SMB mount permissions

Summary
Description:If you have an account on a NT box, you are by default allowed to mount any drive r/w by mounting \\server\c$ (replace 'c' with the drive letter).
Author:Well known, but this post was by Yiorgos Adamopoulos <Y.Adamopoulos@noc.ntua.gr>
Compromise:Mount any NT drive r/w (local)
Vulnerable Systems:NT 4.0 with no service packs, 3.51?
Date:7 April 1997
Details

Exploit: 
>     It is known about big hole in NT 4.0 security system
>     that allows for a user without any access permission to mount NT
>     server root directory (disk C:) in r/w mode and to take a
>     complete control over NT system ? I heard only some little

Under 4.0 (no service packs) it is possble to mount drive C: (and any other
drive) R/W if you have a user account.  Note that this is the default
installation and therefore it is not a bug but a missconfiguration:

smbclient '\\ntserver\c$' -U user

should give you the smb> prompt.

Installing SP2 removes these defaults.

-Yiorgos.
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]