RE: Hacked NT/2K box

From: Pidgorny, Slav (pidgorns@anz.com)
Date: 07/25/01


Message-ID: <CDEBAB5BBFE0024AABEAF438FB2A4D070B401F@exgau100qsm00.oceania.corp.anz.com>
From: "Pidgorny, Slav" <pidgorns@anz.com>
To: 'Ryan Permeh' <ryan@eEye.com>, 'H C' <keydet89@yahoo.com>, lynch00@msn.com, focus-ms@securityfocus.com
Subject: RE: Hacked NT/2K box
Date: Wed, 25 Jul 2001 16:52:17 +1000

Yes. But consider one real-world situation: my ASP files have no access
assigned for LocalSystem (and execute only for the IUSR). It will be a
tricky process to deface the site?

Kindest,

Svyatoslav Pidgorny

> -----Original Message-----
> From: Ryan Permeh [mailto:ryan@eEye.com]
> Sent: 25 July 2001 04:06
> To: Pidgorny, Slav; 'H C'; lynch00@msn.com; focus-ms@securityfocus.com
> Subject: Re: Hacked NT/2K box
>
>
> system level access is enough for everything. it is the
> highest usermode
> privledge level availible in nt/2k. you can load drivers
> (giving you ring0,
> even above system).
>
> SYSTEM > Administrators
...
> Ryan Permeh
> eEye Digital Security Team
> http://www.eEye.com/Retina -Network Security Scanner
> http://www.eEye.com/Iris -Network Traffic Analyzer

> ----- Original Message -----
> From: "Pidgorny, Slav" <pidgorns@anz.com>
> > A good deal of additional effort is required to either
> escalate privileges
> > or disable system security checks if having only system
> level access.
...