RE: WINNT security priviledge escalation attack
From: Brett Moore (brett@softwarecreations.co.nz)Date: 10/29/02
- Previous message: Jason Lopes: "RE: WINNT security priviledge escalation attack"
- In reply to: Jason Lopes: "RE: WINNT security priviledge escalation attack"
- Next in thread: Corey Snow: "RE: WINNT security priviledge escalation attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brett Moore" <brett@softwarecreations.co.nz> To: <focus-ms@securityfocus.com> Date: Wed, 30 Oct 2002 10:26:53 +1300
On a side note,
if a user has read ( ie they can do a dir) but not execute (ie they can't
run an executable) they can still gain access to the executable.
I tested this when trying to use debug as a way to compromise IIS servers.
set permissions read/not execute on debug.exe in the winnt/system32 folder.
A normal copy command also copies permissions so that is good (not good
:-) )
BUT
a quick 16 bit asm program can open the existing file for read, open a new
file for write and byte by byte copy from the protected debug to the new
file. This new file created with full user permissions is now an executable
copy of the protected file.
Brett
> -----Original Message-----
> From: Jason Lopes [mailto:Jason@rga.com]
> Sent: Wednesday, 30 October 2002 05:59
> To: focus-ms@securityfocus.com
> Subject: RE: WINNT security priviledge escalation attack
>
>
> I believe that if you format the drive during OS installation the default
> is:
>
> Quote --
> WINNT is writeable by Power Users and
> Administrators, while normal users have only read and execute access.
> Similarly, on a Win2K server I just checked out, Server Operators and
> Administrators have write access, but again normal users can only read and
> execute.
> End Quote --
>
> but if you install the OS as a fat partition and convert it I believe
> Everyone gets full control across the board.
>
> Jason Lopes Systems Administrator (MCSE, MCP + I)
> Phone 212-946-4192 Fax 212-946-4010 jason@rga.com
> R/GA 350 West 39th Street New York, NY 10018 www.rga.com
>
>
> -----Original Message-----
> From: Paul Knibbs [mailto:pknibbs@3t.co.uk]
> Sent: Tuesday, October 29, 2002 3:29 AM
> To: focus-ms@securityfocus.com
> Subject: WINNT security priviledge escalation attack
>
>
> Eric Howard said:
>
> >>Microsoft, in my opinion, has committed a grave mistake in
> the NTFS permission scheme for the WINNT directory. ANY user may create
> file in this directory, even AFTER the C2 security rollups are applied.<<
>
> I'm not sure what OS he's talking about, but I can attest that
> these are NOT
> the default permissions set on either Windows XP Professional or Windows
> 2000 Server. On my XP Pro machine WINNT is writeable by Power Users and
> Administrators, while normal users have only read and execute access.
> Similarly, on a Win2K server I just checked out, Server Operators and
> Administrators have write access, but again normal users can only read and
> execute.
>
> Paul Knibbs
> Systems Administrator
> 3T Productions Ltd
> T: 0161 492 1400 F: 0161 492 1401
> www.3t.co.uk
>
> Standard Disclaimer
> This message is confidential. You should not copy it or disclose its
> contents to anyone. You may use and apply the information only for the
> intended purpose. Internet communications are not secure and therefore 3T
> does not accept legal responsibility for the content of this message. Any
> views or opinions presented are only those of the author and not those of
> 3T. If the e-mail has come to you in error please delete it and any
> attachments. Please note that 3T may intercept incoming and
> outgoing e-mail
> communications.
>
- Previous message: Jason Lopes: "RE: WINNT security priviledge escalation attack"
- In reply to: Jason Lopes: "RE: WINNT security priviledge escalation attack"
- Next in thread: Corey Snow: "RE: WINNT security priviledge escalation attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
