Re: Microsoft Windows Impersonation Privilege Escalation Weakness



Alun Jones wrote:

Imhotep wrote:
"Microsoft Windows is susceptible to a weakness that may allow
attackers to gain elevated privileges. This issue is due to the
ability of services to impersonate clients after they have
authenticated."

http://www.securityfocus.com/bid/18008/discuss

I read this a while back. It basically says "if you give your username
and password to a service that pretends to be you, that service can
pretend to be you".

The same "weakness" exists in every other operating system.

You can do better than this, surely - an outdated article that describes
as a weakness a basic, known, issue with handing your authentication
credentials over to another party for delegation.

Come on, where's the insightful Imhotep, the guy who's ahead of the game,
who's predicting where Windows will take a tumble next, and unflinchingly
provides advice designed to protect users, rather than merely scare them?

I've yet to see that Imhotep, but I'd like to believe that if you try
really hard, you can squeeze one such posting out.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]


Warning! Warning! Alun "spanky" Jones Idiot alert!!!

Still waiting on you stepping up and being a man. You made a comment, got
caught lying, and ran away like a weeping foolish troll you are...come on
are you better than that?

What about the users here? Don't you want to provide honest data? Are you
better than that?

<guess not, you're just another meatball>

Imhotep
.



Relevant Pages

  • SSH 2.4.0/3.0.1 usernames guessable ?
    ... As we were playing a bit with some SSH versions we ... warning: Authentication failed. ... scp: warning: ssh2 client failed to authenticate. ...
    (Vuln-Dev)
  • RE: Access of shared member warning on RedirectFromLoginPage
    ... I have a class library with a class for authentication that uses forms ... The RedirectFromLoginPage class is called through my application using: ... Here is the declaration: ... Is the warning on the line above? ...
    (microsoft.public.dotnet.framework)
  • RE: SRV2003 problem: LSASRV creates events 40961/40960
    ... According to Microsoft's Knowledge Base Article #824217 ... directory service starts up normally. ... >Event Type: Warning ... The failure code from authentication ...
    (microsoft.public.windows.server.general)
  • Re: Mounting Samba Shares
    ... > Warning: no cfg filefound. ... > the same on both systems so it isn't a authentication issue. ... FreeBSD: "Are you guys coming or what?" ...
    (freebsd-questions)
  • Re: [OT] Is "Authentification" a Real Word?
    ... >Alun Jones wrote: ... replacement for "authentication, but I'm illiterate". ... Fax/Voice +1258-9858 | read details of WFTPD Pro for NT. ...
    (comp.security.misc)