RE: Priviledge escalation attack

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 10/31/02


From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "'Eric Howard'" <dlydl7502@sneakemail.com>, <focus-ms@securityfocus.com>
Date: Thu, 31 Oct 2002 14:36:13 -0500

You're missing one thing with your scenario- that batch file will run in
the context of the logged-on user. Unless the logged-on user has
Administrative rights, or unless the batch file executes a runas (which
would mean that the user could view the credentials used for this),
there is no privileged execution. Simply dropping a file into system
directories does not grant it administrative access.

Laura

> -----Original Message-----
> From: Eric Howard [mailto:dlydl7502@sneakemail.com]
> Sent: Monday, October 28, 2002 10:08 AM
> To: focus-ms@securityfocus.com
> Subject: Priviledge escalation attack
>
>
>
>
> This is probably not news for many, but I thought I would
> throw it out for
> discussion. Microsoft, in my opinion, has committed a grave
> mistake in
> the NTFS permission scheme for the WINNT directory. ANY user
> may create
> file in this directory, even AFTER the C2 security rollups
> are applied.
>
> Why is this an issue? Well, I tend to work a lot on the
> command-line, as
> do many other people when trouble-shooting systems. WINNT is
> by default
> in the PATH of every user on the system.
>
> Scenario:
>
> I (who am logged in as Administrator) am having a network
> connectivity
> problem. I drop to a command line prompt and type 'nbstat', that
> right 'nbstat', which is a typo. A batch file in the WINNT directory
> created by user with normal access privileges called 'nbstat.bat'
> executes. It dutifully reports "'nbstat' is not recognized
> as an operable program or batch file." and executes whatever
> code it wants with
> Administrator privileges. The fake error message pretty much
> guarantees I
> won't notice this.
>
> Far fetched? Ask yourself if you have ever made a typo at
> the Command
> line? Microsoft has made a GRAVE ERROR by allowing a system
> directory to
> be world writeable. People need to be aware of this problem and some
> action needs to be taken so this can be fixed.
>
> -- Eric --
>



Relevant Pages

  • Re: Internet Explorer and index.dats
    ... I use a batch file that runs at boot. ... > So if my user account is reflected in the administrators account, ... >> the internal "Administrator" account. ... >> since if you delete the Temporary Internet Files via the Windows ...
    (microsoft.public.windowsxp.customize)
  • Re: please help.--3rd post. 2nd one lost in cyberspace--at least i cannot see it.
    ... i have downloaded and installed oracle. ... profile can run sql plus. ... if she boots and logs into her profile, she cannot run sql as the batch file ... > First, logged in as yourself or Administrator, go to Start-All ...
    (microsoft.public.windowsxp.general)
  • Re: How to launch program only for certain group>
    ... If you start your program with 'start /w myprogram' it will not end the batch file until the program exits. ... @REM Launch MyProgram except if Administrator ... I then designate this batch file run by using the Group Policy Editor on the TS Server: ...
    (microsoft.public.windows.terminal_services)
  • Re: Windows 7 Question
    ... that laptop and am the administrator. ... But now I cannot modify that file. ... I get an access denied error. ... You can now use it to launch a Console session, then use notepad.exe to modify and save the batch file. ...
    (microsoft.public.windows.file_system)
  • Re: SEPKILL /im SMC.EXE /f
    ... ::Save the following as a batch file and execute it. ... can't reproduce on my test systems or requires administrator privileges ...
    (Bugtraq)