RE: Question regarding su.exe
From: exon (exon_at_home.se)
Date: 06/17/03
- Previous message: Marc Fossi: "Administrivia: OOO Messages"
- In reply to: Kevin Saenz: "RE: Question regarding su.exe"
- Next in thread: travis.abrams_at_hklaw.com: "RE: Question regarding su.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Jun 2003 11:49:22 +0200 (CEST) To: focus-ms@securityfocus.com
That doesn't really matter. The overflow hazard will still be there,
allowing execution of code with elevated privileges. This, however, only
applies to programs that are flawed (many ms products are) in such a way
that it somewhere in it has erroneous pointer handling, allowing user
input that is larger than the memory assigned to store it.
This can easily be checked for and corrected if you have the
sources to the programs you're installing.
In simplified terms: A program that can be crashed, can be used to gain
privileges.
/Andy
On 15 Jun 2003, Kevin Saenz wrote:
> Windows 2000 has the facility of allowing to use the option of
> run as. Also what you can do in the roll out stage of windows2000
> is nominate applications that require privileged access.
> As a result not needing su.exe
>
>
> > Is this an NT4 environment?
> >
> > Laura
> >
> > > -----Original Message-----
> > > From: Ben Collins [mailto:BenCollins@gateshead.gov.uk]
> > > Sent: Thursday, June 12, 2003 6:23 AM
> > > To: 'focus-ms@securityfocus.com'
> > > Subject: Question regarding su.exe
> > >
> > >
> > > Hello,
> > >
> > > We have an external software supplier who has recently
> > > updated their product. Unfortunately the only way the
> > > application will now work correctly is if the user has
> > > Administrative rights. As an organisation we are reluctant to
> > > give these rights to our users. The suppliers have suggested
> > > that we use su.exe.
> > >
> > > Is the usage of su.exe susceptible to the same kinds of
> > > problems as running a UNIX application suid? Specifically, if
> > > the application breaks, will the user be left with elevated
> > > privileges?
> > >
> > > Thanks,
> > >
> > > Ben Collins
> > >
> > >
> > > **********************************************
> > > Important Information
> > > This e-mail constitutes a confidential communication and is
> > > subject to legal privilege. If you have received this e-mail
> > > in error, please notify us immediately. You should not use or
> > > copy it for any purpose, nor disclose it to any other person.
> > > **********************************************
> > >
> > >
> > > --------------------------------------------------------------
> > > ---------------
> > > --------------------------------------------------------------
> > > ----------------
> > >
> >
> >
> > -----------------------------------------------------------------------------
> > ------------------------------------------------------------------------------
> --
> Regards,
>
> Kevin Saenz
>
> Spinaweb
> Your one stop shop for I.T solutions.
>
> Ph: 02 4620 5130
> Fax: 02 4625 9243
> Mobile: 0418455661
> Web: http://www.spinaweb.com.au
>
>
> -----------------------------------------------------------------------------
> ------------------------------------------------------------------------------
>
>
>
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- Previous message: Marc Fossi: "Administrivia: OOO Messages"
- In reply to: Kevin Saenz: "RE: Question regarding su.exe"
- Next in thread: travis.abrams_at_hklaw.com: "RE: Question regarding su.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
