Re: [Full-disclosure] [Windows XP] possible privilege escalation

From: NSC (news-letters_at_bluewin.ch)
Date: 05/30/05

  • Next message: Cesar: "[Full-disclosure] [Argeniss] MS05-012 Exploit" 
    Date: Mon, 30 May 2005 23:31:18 +0200
To: full-disclosure@lists.grok.org.uk

    Pif Gadget a écrit :

    > Hello,
    >
    > I've encountered twice a strange problem on my Windows XP SP2 (fully
    > patched) box.
    >
    > I have 2 separate accounts on my personal system : Administrator (for
    > administrative tasks only) and simple user (for common everyday
    > tasks), for security and system integrity reasons.
    >
    > Today, being logged in the simple user account and having Windows
    > Media Player launched, I executed an installation executable file
    > (from Microsoft) as Administrator using "Execute as..." entry in the
    > contextual menu. The application was successfuly installed. Later, I
    > tried to close Windows Media Player, the window was closed but the
    > music was still playing. I looked in the Task Manager in order to
    > force quit WMP, but to my surprise the task (wmplayer.exe) did not
    > belong to me ("simple user"), but to Administrator (It's worth
    > mentioning that the Administrator account was not open at that moment
    > - as it is possible with User Fast Switching, so no other instance of
    > WMP was running.)
    >
    > This happened to me once before, with the same conditions (including
    > running an installation app using "Execute as..."), but I couldn't
    > reproduce the issue "manually".
    >
    >
    > Best regards,
    >
    >
    > --
    > Pif
    >
    > _________________________________________________________________
    > Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
    > http://search.msn.fr/
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    Hello,

    are you sure you didn't launch wmplayer form the setup process (something
    like: start wmplayer when setup is complete).

    In this case it, wmplayer starts with the rights from setup.exe, which
    in your case is the
    admin account.

    Have anice day.

    Spencer

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Cesar: "[Full-disclosure] [Argeniss] MS05-012 Exploit"