Re: priviledge escalation techniques

From: Thor (thor_at_hammerofgod.com)
Date: 01/23/05

  • Next message: Eyal Udassin: "RE: priviledge escalation techniques"
    To: <pen-test@securityfocus.com>
    Date: Sat, 22 Jan 2005 15:24:41 -0800
    
    

    This is inaccurate. SYSTEM credentials for executables in the Run key would
    require administrative permissions at install. That is, for any current
    version of Windows.

    Every single executable (XP Pro SP2) in my RUN hive runs under the
    credentials of my user account which is, of course, a normal user.

    T

    ----- Original Message -----
    From: "Eyal Udassin" <eyal@swiftcoders.com>
    To: "'Roy Stapleton'" <roy@stapleton.biz>; <pen-test@securityfocus.com>
    Sent: Saturday, January 22, 2005 12:20 AM
    Subject: RE: priviledge escalation techniques

    Hi,

    The easiest way to perform privilege escalation on windows, whatever
    version, is to list the executables in the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry
    key. All of these executables are run under SYSTEM.

    Once you get hold of that list, see if you have write permissions to replace
    the original executable with your own. Don't forget to execute the original
    from your code, or otherwise you may cause the system to become unstable.

    I had a client which had such a key pointing to an old printer installation
    utility which no longer existed, in an unprotected directory outside of
    "program files". That was the beginning of the end of the pentest :-)

    If all the files can't be overridden, try to boot with command line only and
    replace them. Another approach is to remove the hard drive and perform the
    switch on another computer, with the victim HD as a secondary drive.

    Eyal Udassin - Swift Coders
    POB 1596 Ramat Hasharon, 47114
    972+547-684989
    eyal@swiftcoders.com - www.swiftcoders.com

    -----Original Message-----
    From: Roy Stapleton [mailto:roy@stapleton.biz]
    Sent: Friday, January 21, 2005 2:47 AM
    To: pen-test@securityfocus.com
    Subject: RE: priviledge escalation techniques

    I have tried the sethc.exe one, the 'at' command scheduler technique and the
    'c:\program' technique.

    The OS I used was windows XP pro sp2. I logged in as a domain user with no
    added rights, i.e. only local user access to the machine.

    There is no write access in the c:\ or c:\windows\system32 folder, so the
    sethc.exe technique fell at this hurdle, default rights on these folders are
    users: read & execute and list (this folder, subfolders and files), create
    folders (this folder and subfolders), create files (subfolders only).

    For the same reasons, the c:\program exploit failed as well.

    The domain user does not have the privilege to create schedules with the at
    command, so this failed as well.

    The problem seen below does exist on XP. It may be (pardon the fuzziness
    here) to do with caching load images of executable files and prefetch
    stores. If you look in the C:\WINDOWS\Prefetch directory you will see all
    the recently loaded executable files stored in a prefetch format.

    This may be why the original loaded when BSK tried the sethc.exe technique
    in BSK's email.

    For the below, I checked these on a machine I had local admin access on.

    XP also watches files in the system32 directory. If you browse there and
    rename the sethc.exe to something else and then refresh the screen, you will
    see XP restore the sethc.exe file after a few seconds.

    If you open a dos prompt and (make a backup of the sethc.exe file warning
    here) copy cmd.exe to sethc.exe, answering that yes, you do want to
    overwrite the original, you will see the new sethc.exe in an explorer window
    with a cmd.exe icon. Now, if you delete that, windows will restore
    sethc.exe but with a cmd.exe icon (note the file sizes). When done this
    way, pressing shift 5 times will indeed open a cmd prompt.

    This subject does interest me greatly, if you know of any techniques that
    will escalate privileges on an XP machine I would like to know them.

    Thanks

    Roy

    -----Original Message-----
    From: BSK [mailto:bishan4u@yahoo.co.uk]
    Sent: 20 January 2005 11:13
    To: miguel.dilaj@pharma.novartis.com; pen-test@securityfocus.com
    Subject: Re: priviledge escalation techniques

    > That's really strange. It works in WinXP.
    > Perhaps there was a change in functionality (for
    > bad!) from Win2K to XP?
    > The only possibility I can imagine is either:
    > a) something blocks launching interactive programs
    > before logon in 2K, but
    > not in XP
    > b) 2K is checking that sethc.exe is valid before
    > launching it, and XP is
    > not doing that check (I don't really think that this
    > is the case, but...)
    >
    > Do you have any XP box to test?? I'll try to get
    > hold of a 2K as well.

    I couldn't try on a XP box, but tried on a windows
    2000 server. It behaves very differently here, after
    the replacement of sethc.exe with cmd.exe:
    1. before logging in, pressing 'shift' 5 times,
    invokes sethc.exe but the original one, which in fact
    doesn't exist in system32 directory, atleast with same
    name. I think windows regenerated that file but with
    some other name.
    2. if I press 'shift' 5 times after logging in,
    nothing appears, neither original sethc.exe nor the
    replaced sethc.exe

    Any clues?

    ___________________________________________________________
    ALL-NEW Yahoo! Messenger - all new features - even more fun!
    http://uk.messenger.yahoo.com


  • Next message: Eyal Udassin: "RE: priviledge escalation techniques"

    Relevant Pages

    • RE: priviledge escalation techniques
      ... executables already listed there. ... Subject: priviledge escalation techniques ... The easiest way to perform privilege escalation on windows, ... read & execute and list (this folder, subfolders and files), create ...
      (Pen-Test)
    • Re: no Help in Windows XP
      ... in the C:\WINDOWS\ServicePackFiles\i386 folder. ... When I right click on it and left click on Install I get a dialogue box the says "The file dataspec.xmf on Windows XP Pro SP3 is needed. ... The path to many executables are recorded in the registry. ... I know of the following registry key: ...
      (microsoft.public.windowsxp.basics)
    • Re: priviledge escalation techniques
      ... On my system, most of my startup executables are in my HKLM hive, not ... Subject: priviledge escalation techniques ... The easiest way to perform privilege escalation on windows, ... > a) something blocks launching interactive programs ...
      (Pen-Test)
    • Default path for application and LoadLibrary
      ... so maybe it is not about MFC but about windows ... executables at all. ... libraries. ... but someway always look to the folder where my exe is placed. ...
      (microsoft.public.vc.mfc)
    • RE: priviledge escalation techniques
      ... executables listed definitely run under system privileges or with the ... [Insert your favourite comment about editing the registry here, ... Subject: priviledge escalation techniques ... The easiest way to perform privilege escalation on windows, ...
      (Pen-Test)