Re: priviledge escalation techniques

miguel.dilaj_at_pharma.novartis.com
Date: 01/17/05

  • Next message: miguel.dilaj_at_pharma.novartis.com: "Re: priviledge escalation techniques" 
    To: pen-test@securityfocus.com
Date: Mon, 17 Jan 2005 21:54:24 +0000

    Hi jnf!

    Good question, I used a tool to write to NTFS volumes, as mentioned in
    point (1) of my post. This was probably not clear in my original post,
    sorry.
    And answering another good question you made off-list:

    >What is the point then?
    >If you can write to anything on the fs, why not just skip the middle mand
    >and write a new sam file or just add a new program to run on boot in the
    >registry/etc. what do you gain by adding extra steps?

    Your options are perfectly valid, but much more detectable (IMHO).
    With the option of changing sethc.exe you are not running anything extra,
    you are not modifying the SAM (that can count as evidence against you in
    case of problems), and you don't even need to crack passwords.
    It's just a CLI as SYSTEM on request ;-)
    But as you pointed, the possibilities are endless.
    Cheers,

    Miguel Dilaj (Nekromancer)
    Vice-President of IT Security Research, OISSG
    We need YOU at www.oissg.org!

    lists <lists@innocence-lost.net>
    17/01/2005 19:19

     
            To: Miguel Dilaj/PH/Novartis@PH
            cc: pen-test@securityfocus.com
            Subject: Re: priviledge escalation techniques

    > 3) the one I've chosen, similar to (1) above. I've XP with the
    > Accessibility Tools installed by default. They monitor some keys, and if
    > for example you press SHIFT 5 times a popup appears where you can
    activate
    > and configure the accessibility tools. The program responsible for that
    is
    > sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not
    > making IT check if SHIFT was pressed 5 times, but to include that in
    some
    > other part of the OS (kernel? ;-)
    > So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter
    > WHAT IS sethc.exe
    > You guess that, I replaced sethc.exe by a copy of cmd.exe
    > If I press that BEFORE login, a CLI as SYSTEM is started, I can launch
    > compmgmt.msc and add myself to the local administrators group (please
    note
    > that if you start it AFTER login, a CLI is started as your user).

    How do you suppose one gets write access to sethc.exe without admin privs
    in the first place? I cannot overwrite my sethc.exe, nor can I change the
    system Path variables, and it gets prepended to my path before user
    variables do- are you sure you didn't test this while logged in as an
    admin?

    jnf

  • Next message: miguel.dilaj_at_pharma.novartis.com: "Re: priviledge escalation techniques"