Priviledge escalation attack

From: Eric Howard (dlydl7502@sneakemail.com)
Date: 10/28/02


Date: 28 Oct 2002 15:07:40 -0000
From: Eric Howard <dlydl7502@sneakemail.com>
To: focus-ms@securityfocus.com


('binary' encoding is not supported, stored as-is)

This is probably not news for many, but I thought I would throw it out for
discussion. Microsoft, in my opinion, has committed a grave mistake in
the NTFS permission scheme for the WINNT directory. ANY user may create
file in this directory, even AFTER the C2 security rollups are applied.

Why is this an issue? Well, I tend to work a lot on the command-line, as
do many other people when trouble-shooting systems. WINNT is by default
in the PATH of every user on the system.

Scenario:

I (who am logged in as Administrator) am having a network connectivity
problem. I drop to a command line prompt and type 'nbstat', that
right 'nbstat', which is a typo. A batch file in the WINNT directory
created by user with normal access privileges called 'nbstat.bat'
executes. It dutifully reports "'nbstat' is not recognized as an
operable program or batch file." and executes whatever code it wants with
Administrator privileges. The fake error message pretty much guarantees I
won't notice this.

Far fetched? Ask yourself if you have ever made a typo at the Command
line? Microsoft has made a GRAVE ERROR by allowing a system directory to
be world writeable. People need to be aware of this problem and some
action needs to be taken so this can be fixed.

-- Eric --