Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Sam Simpson (sam@samsimpson.com)
Date: 08/22/02


From: Sam Simpson <sam@samsimpson.com>
Date: Thu, 22 Aug 2002 20:07:39 +0100

On Thu, 22 Aug 2002 10:06:53 +0100, RCC wrote:

> "David Hopwood" <david.hopwood@zetnet.co.uk> wrote in message
> news:3D645CE5.6C296663@zetnet.co.uk...
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> RCC wrote:
>> > I'd say the only real issue with this "feature" is Terminal Server
> services
>> > in user mode. You will not allow users to log on locally on your
>> > servers other than terminal server (I know , IIS, but this is not a
>> > CONSOLE
> login
>> > therefore users cannot get the tools to it); if the users takes over
>> > the workstation, this is only a local machine issue, which does not
> compromises
>> > a well secured (layered) network.
>>
>> So you're basically saying that local privilege escalation doesn't
>> matter, because it doesn't in itself allow remote attacks? That seems
>> completely bizarre to me.
>>
>> What exactly is the point of an OS having all the security-related
>> APIs, file permissions, auditing features, etc. that NT has, if it
>> doesn't
> seriously
>> attempt to prevent privilege escalation? Might as well use a
>> single-user
> OS
>> in that case.
>>
>> - --
>> David Hopwood <david.hopwood@zetnet.co.uk>
>>
>> Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA
>> 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
>> Nothing in this message is intended to be legally binding. If I revoke
>> a public key but refuse to specify why, it is because the private key
>> has
> been
>> seized under the Regulation of Investigatory Powers Act; see
> www.fipr.org/rip
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: 2.6.3i
>> Charset: noconv
>>
>> iQEVAwUBPWRbWDkCAxeYt5gVAQEEuAf/fS0ZdjI7WNFN/OVjmt/lewiUs0wdDosm
>> YORGDa4tQHkJxc9kG1VxKWoM1yaBJ2CKHspFR4KyKGVRmw4R9TMaorA17Lm2C6OQ
>> o/94LT7QorRwvWSjt0E4VfVqlYQpkoobmjdavuO3Q4UvsE6eRDp9L9psJr1aoZnO
>> 16motD9EpZU5IZLWKayqbuAlE1bnUx0gQJx+7/GSN9naB91zSXbXEUM2ngdcwt79
>> CHFS/oEsTDiE8ZpRpah7OOj2XhauL9uyvzUZyiy0lD9G1YjzmTAm2cm8fC3CphnR
>> RIZa0rtno2pvKC9Cm8im3nJRVi4nb8N/456bN6XVYRVcuknYhO1Efw== =vyQD -----END
>> PGP SIGNATURE-----
>
> I'm not disagreeing with you, I'm just make the point that the flaw is
> not as critical as everybody tries to imply. In a well-controlled
> environment, this weakness is well behind other, like user writing down
> the password, social engineering, etc. I don't have a LOT of experience
> as sysadmin, but as I said before, in a well secured (LAYERED) network,
> this vulnerability is NOT as critical as implied. The rest of the
> security facilities (like IPSec, Kerberos, file encryption and NTFS)
> work quite well in an environment where workstations do not hold
> sensitive data, therefore privilege escalation to the SYSTEM level is
> not compromising the entire network.

But in other environments (such as Citrix or Terminal Server "Windows
Mainframe") the effect of a supposedly normal-rights user elevating to
Local Admin rights could well affect 200 odd concurrent users.

Keeping mind that there are literally 10's or 100's of millions of TS
users, this is a big problem IMHO.

> Again, my two cents (under the right to separate opinion).

Of course. And I'm sure everyone in these groups agrees with the
"security in depth" principle, but another principle is to patch known
and exploitable holes.
 

-- 
Regards,

Sam Simpson http://www.samsimpson.com/