Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Sam Simpson (sam@samsimpson.com)
Date: 08/22/02


From: Sam Simpson <sam@samsimpson.com>
Date: Thu, 22 Aug 2002 20:07:39 +0100

On Thu, 22 Aug 2002 10:06:53 +0100, RCC wrote:

> "David Hopwood" <david.hopwood@zetnet.co.uk> wrote in message
> news:3D645CE5.6C296663@zetnet.co.uk...
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> RCC wrote:
>> > I'd say the only real issue with this "feature" is Terminal Server
> services
>> > in user mode. You will not allow users to log on locally on your
>> > servers other than terminal server (I know , IIS, but this is not a
>> > CONSOLE
> login
>> > therefore users cannot get the tools to it); if the users takes over
>> > the workstation, this is only a local machine issue, which does not
> compromises
>> > a well secured (layered) network.
>>
>> So you're basically saying that local privilege escalation doesn't
>> matter, because it doesn't in itself allow remote attacks? That seems
>> completely bizarre to me.
>>
>> What exactly is the point of an OS having all the security-related
>> APIs, file permissions, auditing features, etc. that NT has, if it
>> doesn't
> seriously
>> attempt to prevent privilege escalation? Might as well use a
>> single-user
> OS
>> in that case.
>>
>> - --
>> David Hopwood <david.hopwood@zetnet.co.uk>
>>
>> Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA
>> 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
>> Nothing in this message is intended to be legally binding. If I revoke
>> a public key but refuse to specify why, it is because the private key
>> has
> been
>> seized under the Regulation of Investigatory Powers Act; see
> www.fipr.org/rip
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: 2.6.3i
>> Charset: noconv
>>
>> iQEVAwUBPWRbWDkCAxeYt5gVAQEEuAf/fS0ZdjI7WNFN/OVjmt/lewiUs0wdDosm
>> YORGDa4tQHkJxc9kG1VxKWoM1yaBJ2CKHspFR4KyKGVRmw4R9TMaorA17Lm2C6OQ
>> o/94LT7QorRwvWSjt0E4VfVqlYQpkoobmjdavuO3Q4UvsE6eRDp9L9psJr1aoZnO
>> 16motD9EpZU5IZLWKayqbuAlE1bnUx0gQJx+7/GSN9naB91zSXbXEUM2ngdcwt79
>> CHFS/oEsTDiE8ZpRpah7OOj2XhauL9uyvzUZyiy0lD9G1YjzmTAm2cm8fC3CphnR
>> RIZa0rtno2pvKC9Cm8im3nJRVi4nb8N/456bN6XVYRVcuknYhO1Efw== =vyQD -----END
>> PGP SIGNATURE-----
>
> I'm not disagreeing with you, I'm just make the point that the flaw is
> not as critical as everybody tries to imply. In a well-controlled
> environment, this weakness is well behind other, like user writing down
> the password, social engineering, etc. I don't have a LOT of experience
> as sysadmin, but as I said before, in a well secured (LAYERED) network,
> this vulnerability is NOT as critical as implied. The rest of the
> security facilities (like IPSec, Kerberos, file encryption and NTFS)
> work quite well in an environment where workstations do not hold
> sensitive data, therefore privilege escalation to the SYSTEM level is
> not compromising the entire network.

But in other environments (such as Citrix or Terminal Server "Windows
Mainframe") the effect of a supposedly normal-rights user elevating to
Local Admin rights could well affect 200 odd concurrent users.

Keeping mind that there are literally 10's or 100's of millions of TS
users, this is a big problem IMHO.

> Again, my two cents (under the right to separate opinion).

Of course. And I'm sure everyone in these groups agrees with the
"security in depth" principle, but another principle is to patch known
and exploitable holes.
 

-- 
Regards,

Sam Simpson http://www.samsimpson.com/



Relevant Pages

  • Re: Privilege-escalation attacks on NT-based Windows are unfixable
    ... >>> a well secured network. ... >> So you're basically saying that local privilege escalation doesn't ... > environment, this weakness is well behind other, like user writing down ... > security facilities ...
    (comp.security.misc)
  • RE: True definition of Intrusion Prevention
    ... when protecting a production Unix/Apache environment? ... As with any security tool, what ... network security is a difficult problem that is unique to ... Proper planning is the key to having a successful ...
    (Focus-IDS)
  • Re: GPO to prevent user "hardening"
    ... Possibly a workaround for your problem if it's security of your network that ... administrators were updating systems for security, ... basic process is test - and retest and retest in a stable environment, ... Hardening of the systems may not be directed at the administrators, ...
    (microsoft.public.win2000.security)
  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
    (Focus-Microsoft)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.windows.server.sbs)