Re[2]: [Full-Disclosure] MS Windows Screensaver Privilege Escalation

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 11/26/04

  • Next message: n3td3v: "Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam" 
    To: Matt Andreko <mandreko@ori.net>
Date: Fri, 26 Nov 2004 19:12:21 +0300

    Dear Matt Andreko,

    Ability to boot machine from bootable to CD is not a problem of Windows
    security, it's more problem of physical security. To prevent your
    machine from booting from bootable CD reliably you can use certified
    BIOS versions (HP and IBM have few), special marks and devices like
    Dallas Lock, Secret Net, etc.

    --Friday, November 26, 2004, 6:42:34 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:

    MA> Perhaps this is just an amateurish question, but what if I booted off of
    MA> a knoppix cd and replaced the current screensaver with my "specially
    MA> crafted" screensaver? Or using the bootdisk at
    MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?

    MA> I know you may think that this is useless, since if you boot off the cd
    MA> or disk, you already have better access to the machine, however doing
    MA> this method gets you admin access WITHOUT changing the password, correct?

    MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still
    MA> show that the vulnerability in the screensaver code is valid, and needs
    MA> to be updated? It could allow someone to get local admin access to the
    MA> machine without changing the password.

    MA> 3APA3A wrote:

    >> Dear Matthew Walker,
    >>
    >> Permissions for HKEY_USERS\Control Panel\Desktop allow modification to
    >> only members of Administrators and System.
    >>
    >> Power Users can install software, so they can replace any file in
    >> SYSTEM32 directory, including screensaver. It allows to trojan any
    >> system file (for example, one can replace winspool.exe with cmd.exe to
    >> obtain SYSTEM permissions). It's by design and it's documented. Just
    >> never assign users in Power Users group, as Microsoft recommends you. I
    >> see no security vulnerability here.
    >>
    >> --Wednesday, November 24, 2004, 8:36:14 PM, you wrote to
    >> full-disclosure@lists.netsys.com:
    >>
    >> MW> To Whom it May Concern;
    >> MW> The Original Post is http://www.securityfocus.com/bid/11711
    >>
    >> MW> On Windows XP all releases, when you replace, or change the
    >> MW> screensaver displayed on the login screen with a specially crafted
    >> MW> version designed to execute programs, those programs are launched
    >> MW> under the SYSTEM SID, IE: they are given automatically the highest
    >> MW> access level avalible to Windows. This level is not accessible even
    >> MW> to administrators.
    >>
    >> MW> This flaw is important because while one would need Power User
    >> MW> privledges or above to change the Login Screensaver, by default, any
    >> MW> user with the exception of guest can replace the login screensaver
    >> MW> file with a modified version. In theory, any determined user could
    >> MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in
    >> MW> Win2K, but Microsoft has ignored it.
    >>
    >> MW> Sincerly;
    >> MW> Matt Walker
    >>
    >> MW> _______________________________________________
    >> MW> Full-Disclosure - We believe in it.
    >> MW> Charter: http://lists.netsys.com/full-disclosure-charter.html
    >>
    >> 

    -- 
~/ZARAZA
Особую проблему составляет алкоголизм.  (Лем)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: n3td3v: "Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam"

    Relevant Pages

    • Re: Buckwheat Beatdown! Cato Institute Drags Muslim PresiChmp to Woodshed for Severe Beating!
      ... providing enhanced security ... The Cost of Iraq, Afghanistan, and Other Global War on Terror ... Muzzy Screensaver, 15Mb; DemocRAT Screensaver, 18Mb! ... Cartoon Slideshow, Take Back America 2010 & 2012!, Are DemocRATs ...
      (alt.politics)
    • Re: Buckwheat Beatdown! Cato Institute Drags Muslim PresiChmp to Woodshed for Severe Beating!
      ... providing enhanced security ... The Cost of Iraq, Afghanistan, and Other Global War on Terror ... Muzzy Screensaver, 15Mb; DemocRAT Screensaver, 18Mb! ... Cartoon Slideshow, Take Back America 2010 & 2012!, Are DemocRATs ...
      (alt.politics)
    • Re: Power Users, AntiSpyware & CriticalUpdates
      ... If you can wait a day or two before deploying updates, ... Wait until day after patch tuesday. ... or two before you install an critical security patch. ... > Like don't make your users admins or power users and have them use a web ...
      (Security-Basics)
    • Re: Why Users dont have write rights to the %windir%TEMP folder
      ... The number of "power users" of any type can be counted on the ... folder and I will like to see if it is acceptable in terms of security. ... That's not the correct location for temporary files, ... rather than on every workstation. ...
      (microsoft.public.windows.server.security)
    • Re: Simulate mouse movement?
      ... If yours is anything like Citrix's implementation of this security ... We wanted to leave them on overnight logged into Citrix to run ... > The screensaver is disabled and I've set the screen to never go blank ... > the mouse by API calls. ...
      (microsoft.public.vb.general.discussion)