Re: [Full-disclosure] [Windows XP] possible privilege escalation
From: KF (lists) (kf_lists_at_digitalmunition.com)
Date: 06/08/05
- Previous message: alex: "[Full-disclosure] Kaspersky antivirus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 08 Jun 2005 04:00:54 -0400 To: full-disclosure@lists.grok.org.uk
Would this possibly have anything to do with MSIEXEC.exe (that is off
the top of my head) running as system? I have occasionally seen this
process chilling out running as SYSTEM.
-KF
NSC wrote:
>Pif Gadget a écrit :
>
>
>
>>Hello,
>>
>>I've encountered twice a strange problem on my Windows XP SP2 (fully
>>patched) box.
>>
>>I have 2 separate accounts on my personal system : Administrator (for
>>administrative tasks only) and simple user (for common everyday
>>tasks), for security and system integrity reasons.
>>
>>Today, being logged in the simple user account and having Windows
>>Media Player launched, I executed an installation executable file
>>(from Microsoft) as Administrator using "Execute as..." entry in the
>>contextual menu. The application was successfuly installed. Later, I
>>tried to close Windows Media Player, the window was closed but the
>>music was still playing. I looked in the Task Manager in order to
>>force quit WMP, but to my surprise the task (wmplayer.exe) did not
>>belong to me ("simple user"), but to Administrator (It's worth
>>mentioning that the Administrator account was not open at that moment
>>- as it is possible with User Fast Switching, so no other instance of
>>WMP was running.)
>>
>>This happened to me once before, with the same conditions (including
>>running an installation app using "Execute as..."), but I couldn't
>>reproduce the issue "manually".
>>
>>
>>Best regards,
>>
>>
>>--
>>Pif
>>
>>_________________________________________________________________
>>Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
>>http://search.msn.fr/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>
>Hello,
>
>are you sure you didn't launch wmplayer form the setup process (something
>like: start wmplayer when setup is complete).
>
>In this case it, wmplayer starts with the rights from setup.exe, which
>in your case is the
>admin account.
>
>Have anice day.
>
>Spencer
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: alex: "[Full-disclosure] Kaspersky antivirus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
