Re: priviledge escalation techniques

From: miguel.dilaj@pharma.novartis.com
Date: Mon Jan 17 2005 - 16:54:24 EST

• Next message: miguel.dilaj@pharma.novartis.com: "Re: priviledge escalation techniques"
• Previous message: Marc Maiffret: "RE: priviledge escalation techniques"
• Maybe in reply to: Dan Rogers: "priviledge escalation techniques"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi jnf!

Good question, I used a tool to write to NTFS volumes, as mentioned in
point (1) of my post. This was probably not clear in my original post,
sorry.
And answering another good question you made off-list:

>What is the point then?
>If you can write to anything on the fs, why not just skip the middle mand
>and write a new sam file or just add a new program to run on boot in the
>registry/etc. what do you gain by adding extra steps?

Your options are perfectly valid, but much more detectable (IMHO).
With the option of changing sethc.exe you are not running anything extra,
you are not modifying the SAM (that can count as evidence against you in
case of problems), and you don't even need to crack passwords.
It's just a CLI as SYSTEM on request ;-)
But as you pointed, the possibilities are endless.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
We need YOU at www.oissg.org!

lists <lists@innocence-lost.net>
17/01/2005 19:19

 
        To: Miguel Dilaj/PH/Novartis@PH
        cc: pen-test@securityfocus.com
        Subject: Re: priviledge escalation techniques

> 3) the one I've chosen, similar to (1) above. I've XP with the
> Accessibility Tools installed by default. They monitor some keys, and if
> for example you press SHIFT 5 times a popup appears where you can
activate
> and configure the accessibility tools. The program responsible for that
is
> sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not
> making IT check if SHIFT was pressed 5 times, but to include that in
some
> other part of the OS (kernel? ;-)
> So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter
> WHAT IS sethc.exe
> You guess that, I replaced sethc.exe by a copy of cmd.exe
> If I press that BEFORE login, a CLI as SYSTEM is started, I can launch
> compmgmt.msc and add myself to the local administrators group (please
note
> that if you start it AFTER login, a CLI is started as your user).

How do you suppose one gets write access to sethc.exe without admin privs
in the first place? I cannot overwrite my sethc.exe, nor can I change the
system Path variables, and it gets prepended to my path before user
variables do- are you sure you didn't test this while logged in as an
admin?

jnf

• Next message: miguel.dilaj@pharma.novartis.com: "Re: priviledge escalation techniques"
• Previous message: Marc Maiffret: "RE: priviledge escalation techniques"
• Maybe in reply to: Dan Rogers: "priviledge escalation techniques"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:14 EDT