From: Dave Wells (dave.wells@foreshore.net)
Date: Thu Jan 20 2005 - 11:19:47 EST
The below 'at 12:00 /interactive cmd.exe' command will grant you System
level privileges however you need to be in the local admistrators group
on the server in the first place to be allowed to schedule an 'at' task
so the risk of elevated privileges is minor.
Regards
Dave Wells
-----Original Message-----
From: John Cobb [mailto:johnc@nobytes.com]
Sent: 17 January 2005 22:45
To: 'jnf'; miguel.dilaj@pharma.novartis.com
Cc: pen-test@securityfocus.com
Subject: RE: priviledge escalation techniques
You could always do the classic 'at 12:00 /interactive cmd.exe' to gain
your self a command prompt with 'SYSTEM' privileges (well with win2k,
havent tested xp)
E.g.:
C:\>at 22:39 /interactive cmd.exe
Added a new job with job ID = 1
C:\>
In a new window...
C:\>whoami
SYSTEM
C:\>
Bing :)
(also works nice with cygwin ;) )
Regards
John Cobb
www.NoBytes.com
Web Design, Web Hosting, Hardware, Software, You Name it, if its to do
with IT we can sort it.
-----Original Message-----
From: jnf [mailto:lists@innocence-lost.net]
Sent: 17 January 2005 19:45
To: miguel.dilaj@pharma.novartis.com
Cc: pen-test@securityfocus.com
Subject: Re: priviledge escalation techniques
> and the guys at Micro$oft comit the cardinal mistake of not making IT
> check if SHIFT was pressed 5 times, but to include that in some other
> part of the OS (kernel? ;-)
And while I sit here eating lunch it occured to me how silly of a
statement that was- consider which is more of an acceptible risk-
scenario 1) sethc.exe is run as a normal user, or rather as the user
logged
in- it does not run with any special capabilities, the keyboard driver
or whatever intercepts and detects shift pressed 5 times, or held for X
seconds- however IF someone managed to override your DAC's/file
permissions then they can overwrite the program, however if this occurs-
the game is already up because you had a more critical flaw some place
else, and that is really the way that you lost control.
scenario 2) sethc.exe is always running and monitoring keystrokes
looking for any sequence of keystrokes that it recognizes, in order to
do this either any user has to be able to 'sniff keystrokes', OR, it has
to run with special access allowing the window for abuse to grow bigger-
in addition to this the kernel has to take extra steps in order to pass
every keystroke to userspace, which is going to degrade performance. So
here, the simple program is now running with elevated status and becomes
a huge potential for abuse.
>From a perspective of security, which is a better design? scenario 2 is
basically what you are suggesting. I love IT Security as well, but its
not nearly as humorous as It Security 'Professionals'
cheers,
jnf
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:14 EDT