RE: Priviledge escalation attack

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 10/31/02 

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "'Eric Howard'" <dlydl7502@sneakemail.com>, <focus-ms@securityfocus.com>
Date: Thu, 31 Oct 2002 14:36:13 -0500

You're missing one thing with your scenario- that batch file will run in
the context of the logged-on user. Unless the logged-on user has
Administrative rights, or unless the batch file executes a runas (which
would mean that the user could view the credentials used for this),
there is no privileged execution. Simply dropping a file into system
directories does not grant it administrative access.

Laura

> -----Original Message-----
> From: Eric Howard [mailto:dlydl7502@sneakemail.com]
> Sent: Monday, October 28, 2002 10:08 AM
> To: focus-ms@securityfocus.com
> Subject: Priviledge escalation attack
>
>
>
>
> This is probably not news for many, but I thought I would
> throw it out for
> discussion. Microsoft, in my opinion, has committed a grave
> mistake in
> the NTFS permission scheme for the WINNT directory. ANY user
> may create
> file in this directory, even AFTER the C2 security rollups
> are applied.
>
> Why is this an issue? Well, I tend to work a lot on the
> command-line, as
> do many other people when trouble-shooting systems. WINNT is
> by default
> in the PATH of every user on the system.
>
> Scenario:
>
> I (who am logged in as Administrator) am having a network
> connectivity
> problem. I drop to a command line prompt and type 'nbstat', that
> right 'nbstat', which is a typo. A batch file in the WINNT directory
> created by user with normal access privileges called 'nbstat.bat'
> executes. It dutifully reports "'nbstat' is not recognized
> as an operable program or batch file." and executes whatever
> code it wants with
> Administrator privileges. The fake error message pretty much
> guarantees I
> won't notice this.
>
> Far fetched? Ask yourself if you have ever made a typo at
> the Command
> line? Microsoft has made a GRAVE ERROR by allowing a system
> directory to
> be world writeable. People need to be aware of this problem and some
> action needs to be taken so this can be fixed.
>
> -- Eric --
>

Relevant Pages

  • Re: Internet Explorer and index.dats
    ... I use a batch file that runs at boot. ... > So if my user account is reflected in the administrators account, ... >> the internal "Administrator" account. ... >> since if you delete the Temporary Internet Files via the Windows ...
    (microsoft.public.windowsxp.customize)
  • Re: please help.--3rd post. 2nd one lost in cyberspace--at least i cannot see it.
    ... i have downloaded and installed oracle. ... profile can run sql plus. ... if she boots and logs into her profile, she cannot run sql as the batch file ... > First, logged in as yourself or Administrator, go to Start-All ...
    (microsoft.public.windowsxp.general)
  • Re: How to launch program only for certain group>
    ... If you start your program with 'start /w myprogram' it will not end the batch file until the program exits. ... @REM Launch MyProgram except if Administrator ... I then designate this batch file run by using the Group Policy Editor on the TS Server: ...
    (microsoft.public.windows.terminal_services)
  • Re: Local Security Policy Recovery
    ... create a batch file using secedit that would reset your security settings to ... > I have just mistakenly denied Local Logon access to ... > everyone(including Administrator) to my Window 2000 ...
    (microsoft.public.win2000.security)
  • Re: Calling a batch file from IE using asp and vbscript
    ... I don't know if I can explain the scheduled task process better without ... the batch file ... >> privileged user, change the application to run as windows authenticated ... >> IUSR_machineName to a group with enough privileges to execute the batch ...
    (microsoft.public.inetserver.asp.general)