Re: priviledge escalation techniques

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 01/27/05

  • Next message: Maria Da Re: "MS RAS (pptp + MSCHAPv1)" 
    Date: Thu, 27 Jan 2005 08:47:17 +0100
To: pen-test@securityfocus.com

    > This begs the question, does the user have the privilege to stop and
    > start services? And can the user change the contents of these
    > environmental variables?

    1/ Services are like any Windows object, they are protected by
    DACL/SACL. You can list user rights on services using many tools, such
    as the SC command from Windows Resource Kit:

    C:\>sc sdshow alerter
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    [ This is SDDL language, have a look on Google or MSDN if you want to
    know more ]

    There has been a thread recently on the subject of services ACL:
    http://sainstitute.org/archive/1/378514/2004-10-13/2004-10-19/0

    And yes, users have the right to start/stop “some” services. I cannot
    remember the full list right now, but it is around 10 services.

    2/ Did someone mention that the default screen saver will run as SYSTEM
    when no one is logged on? This technique still requires "off line"
    access to the NTFS file system, though.

    3/ I think the conclusion of this thread is that Windows is quite a
    secure OS; you need a "real" exploit to increase your user rights.

    However there has always been many more local exploits than remote.
    Remember POSIX and OS/2 subsystems exploitation, Debugging Subsystem
    exploitation (DebPloit), 16-bit subsystem exploitation (NTVDM),
    predictable named pipes impersonation, and the quite new Shatter Attacks
    that hold endless possibilities...

    My favorite is:
    F1/Jump to URL.../CMD.EXE
    targeting a window running under the SYSTEM context. It works well
    against antivirus, personal firewalls and the like.

    http://lists.virus.org/bugtraq-0310/msg00230.html

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    Mail: nicolas.ruff (at) edelweb.fr
    -----------------------------------

  • Next message: Maria Da Re: "MS RAS (pptp + MSCHAPv1)"

    Relevant Pages

    • Re: Creating a Custom Users Group in Windows XP Professional
      ... In GPEDIT, you should be able to go to Computer Configuration, Windows Settings, Security Settings, Local Policies, User rights assignments and modify the Load and unload device driver setting to allow Power Users, or your custom group to this policy. ... The biggest issue with a custom group is ensuring that you give them access to everything they need access to. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Interactivity Logon not permitted
      ... Somehow you botched up the logon locally or deny logon locally user rights ... Management from your XP computer to view the security logs on the Windows ... > Renamed Administrator Account ...
      (microsoft.public.win2000.security)
    • Re: Group Policy in xp
      ... If the MUI articles here are not relevant, I'd check the User Rights ... Assignment parts of your policies and remove any 's that you see ... Windows Platform Support Team ... >>their systems this is working in windows 2000 clients but in windows xp ...
      (microsoft.public.win2000.group_policy)
    • Re: Networking issues - "Logon failure"
      ... I have run the Network Setup Wizard and I ... The problem is with user rights assignments on the desktop computer. ... The Guest account settings in Control Panel | User Accounts have ... If the desktop computer runs Windows XP Professional: ...
      (microsoft.public.windowsxp.network_web)
    • Re: Cannot open .doc files but can open .pdf files
      ... Internet Guest Account and a check mark for allow IIS to ... Windows authentication. ... >User rights: Administrator ... >Network password box: No ...
      (microsoft.public.inetserver.iis)