Windows XP 'logon screen' runs as system account
From: Menso Heus (menso@r4k.net)Date: 12/22/01
- Previous message: Michal Zalewski: "Re: yet another fake exploit making rounds"
- Next in thread: Ryan Permeh: "Re: Windows XP 'logon screen' runs as system account"
- Reply: Ryan Permeh: "Re: Windows XP 'logon screen' runs as system account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Dec 2001 03:06:13 +0100 From: Menso Heus <menso@r4k.net> To: vuln-dev@securityfocus.com
Hi,
Recently I discovered that the process that shows the windows xp logon
screen (logonui.exe in your \winnt\system32\ folder) runs as the
'system' user. This process gets started whenever the user logon
screen gets shown, this is either after booting up Windows XP or
when switching users.
In my experience so far the system account in Windows NT/2000 has
(almost?) the same rights as the Administrator account.
I decided it might be nice to kick it a bit in order to see if I
could make it do things it isn't supposed to do.
I replaced the logonui.exe file with the task manager (which showed
the user 'system' owns the process).
From the taskmgr.exe process I tried spawning a new process, cmd.exe.
I received the error "Not enough quota available to process this command.'
I received the same error when I replaced the logonui.exe file directly
with cmd.exe. The command prompt would actually show, but any commands
not built into cmd.exe itself would not run.
After this I replaced the file with NT4's usrmgr.exe to see if I had
rights enough to adjust user settings. It turns out that this is also
restricted.
I also wrote some programs myself to try to push a user from the normal
user group into the admin group through the ADSI interface, but this
didn't work out either.
Please note that the logonui.exe file can only be replaced by a user
that already has administrative rights.
The thing is that a lot of Windows XP users are actually replacing this
file with copies they download of the net. From sites such as
www.themexp.org it is possible to download 'customized logon screens'
which show your favorite actor or sports car or whatever.
I would like to warn for the fact that, since Microsoft chose to use a
binary format for a file that only contains some info on where to place
what pictures during logon and the pictures themselves, it is trivial to
write a trojan that fakes a logon screen and e-mails the entered
usernames & passwords. I have already written & tested one succesfully
on my home network.
It is unclear to me why Microsoft chose to use a binary format for a
file that, as far as I can see, contains nothing more than layout info.
History has already proved that users will gladly trade in security if it
means they can see some chick or something funny during the logon process.
Still, a trojan ofcourse isn't a security bug. Since I do not know how
they restricted the system account I would like to ask you for advice
on this. I have a feeling that it hasn't been done nicely, though I
can't really tell why, probably because I don't understand *how* it
has been done :)
Any help with this would be greatly appreciated,
Menso
-- --------------------------------------------------------------------- Anyway, the :// part is an 'emoticon' representing a man with a strip of sticky tape across his mouth. -R. Douglas, alt.sysadmin.recovery ---------------------------------------------------------------------
- Previous message: Michal Zalewski: "Re: yet another fake exploit making rounds"
- Next in thread: Ryan Permeh: "Re: Windows XP 'logon screen' runs as system account"
- Reply: Ryan Permeh: "Re: Windows XP 'logon screen' runs as system account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
