Re: Named Pipe Impersonation -> CreateProcessAsUser();

From: Blue Boar (BlueBoar_at_thievco.com)
Date: 07/14/03

  • Next message: noir: "RE: Named Pipe Impersonation -> CreateProcessAsUser();"
    Date: Mon, 14 Jul 2003 13:13:54 -0700
    To: wirepair <wirepair@roguemail.net>
    
    

    wirepair wrote:

    > Hello, I'm attempting to finish up my exploit for the @stake advisory,
    > i've hit quite a snag when i found out that calling a new process does
    > not inherit the privileges of the named pipe. (I must have been thinking
    > of fork() or something heh). So I can impersonate SYSTEM, but I can not
    > create a new process with these nice privileges.

    Can you tell if you end up with the TOKEN_ADJUST_PRIVILEGES priv? If I
    recall correctly (and I probably don't) child processes of system will have
    that prive, but not have the other privs turned on. You have to use
    AdjustTokenPrivileges to get them.

                                                    BB


  • Next message: noir: "RE: Named Pipe Impersonation -> CreateProcessAsUser();"

    Relevant Pages

    • Named Pipe Impersonation -> CreateProcessAsUser();
      ... of the named pipe. ... create a new process with these nice privileges. ... ConnectNamedPipe<-- yada yada wait for connection ... access, then call CreateProcessAsUser(); ...
      (Vuln-Dev)
    • Re: patch to make Linux capabilities into something useful (v 0.3.1)
      ... unmarked executables continue to inherit no caps at all. ... capabilities on non-caps-aware programs. ... security principle of "least privileges". ... Sun has recently included the Trusted Solaris into the ...
      (Linux-Kernel)
    • Re: The roots of this group?
      ... Witness the shameful number of recycled calls about, ... yourself who would want to inherit a call that didn't start with a G. ... No-one appears to care about privileges, ... It was in a page of statistics that appeared on a US web site, quoting Ofcom figures. ...
      (uk.radio.amateur)
    • Re: Frustrated with capabilities..
      ... inherit capabilities unless filesystem flags permit that. ... expecting to be setuid exec's ... some program which wasn't expecting to have root privileges then bad ...
      (Linux-Kernel)
    • [Full-disclosure] escalating privileges with named pipes
      ... does anyone know a practical example of named pipe attack to escalate ... privileges in Windows environment? ... I'm trying to learn more about named pipe ...
      (Full-Disclosure)