Re: Priviledge escalation attack
From: Knud Erik Højgaard (knud@skodliv.dk)Date: 10/28/02
- Previous message: Eric Howard: "Priviledge escalation attack"
- In reply to: Eric Howard: "Priviledge escalation attack"
- Next in thread: Mike Coppins: "Re: Priviledge escalation attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Knud Erik Højgaard <knud@skodliv.dk> To: <focus-ms@securityfocus.com> Date: Mon, 28 Oct 2002 18:37:10 +0100
> From: "Eric Howard" dlydl7502@sneakemail.com
[snip]
> Scenario:
>
> I (who am logged in as Administrator) am having a network connectivity
> problem. I drop to a command line prompt and type 'nbstat', that
> right 'nbstat', which is a typo. A batch file in the WINNT directory
> created by user with normal access privileges called 'nbstat.bat'
> executes. It dutifully reports "'nbstat' is not recognized as an
> operable program or batch file." and executes whatever code it wants with
> Administrator privileges. The fake error message pretty much guarantees I
> won't notice this.
>
> Far fetched? Ask yourself if you have ever made a typo at the Command
> line? Microsoft has made a GRAVE ERROR by allowing a system directory to
> be world writeable. People need to be aware of this problem and some
> action needs to be taken so this can be fixed.
Naming a file cmd.exe and placing it in the root of %SYSTEMDRIVE% will
happily run this instead of the one in %SYSTEMROOT% if 'cmd' is invoked from
the start/run box, regardless of my systemdrive (E:) being later in the path
than my systemroot. I believe this is old news...
-- Knud Erik Højgaard
- Previous message: Eric Howard: "Priviledge escalation attack"
- In reply to: Eric Howard: "Priviledge escalation attack"
- Next in thread: Mike Coppins: "Re: Priviledge escalation attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: change PCs DNS settings to dynamic via logon scrip in Nvell environment
... adminidtrator details of the loacl PC on a script and the poing to the ... I
am aware of this command and it does work if you save it as a batch ... Is there a way
of entering all administrator credntials on a ... batch file or vb script to run
and then point to the NETSH command to ... (microsoft.public.win2000.registry) - Re: Publisher 2007/Vista - print problems with newsletter
... DOS prompt, but all it will give me is "run is not recognised as an internal or external
command, operable program or batch file" whenever I try to use the "Run as administrator"
instruction. ... (microsoft.public.publisher) - Running a script under admin account
... the command only works if the administrator is the one logging in. ...
Is there a way to add the admin credentials in the batch file so that the ... (microsoft.public.windows.server.scripting) - Re: Need help with command prompt path
... entry that defines your path is of the wrong type. ... Check your %SystemRoot%
and %System% settings by opening a command ... environment variables press Return
to get next line, ... (microsoft.public.windowsxp.general) - Re: "NET NOT RECOGNIZED AS A COMMAND" et al
... "NET NOT RECOGNIZED AS A COMMAND" ... So the system knows what %systemroot%
is ... BUT typing NET STOP at the command prompt gets me the error. ... WHY & How
to fix pplleeaasseeeee. ... (microsoft.public.windowsxp.general)