Re: Hacking Windows Security Principal
From: Shawn Farkas [MS] (shawnfa_at_online.microsoft.com)
Date: 02/03/05
- Next message: William Stacey [MVP]: "Re: Encrypting a string using public key"
- Previous message: William Stacey [MVP]: "Re: Protecting assemblies from being used outside a company/group/team"
- In reply to: Gecko: "Re: Hacking Windows Security Principal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 02 Feb 2005 23:30:21 GMT
In order for that system to work, the domain would have to trust the data
(and thus SIDs etc) coming off of each computer. And for exactly the
reason you state, that data is not trustable. If you're interested in the
system Windows does use to trust various computers, a good place to start
would be to read about how Kerberos works
(http://blogs.msdn.com/shawnfa/archive/2004/03/03/83363.aspx)
-Shawn
http://blogs.msdn.com/shawnfa
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:
For the benefit of the community-at-large, all responses to this message
are best directed to the newsgroup/thread from which they originated.
--------------------
> From: "Gecko" <nada@nada.com>
> References: <OvwpZg2AFHA.2676@TK2MSFTNGP12.phx.gbl>
<hk8QQoJCFHA.3048@cpmsftngxa10.phx.gbl>
> Subject: Re: Hacking Windows Security Principal
> Date: Tue, 1 Feb 2005 16:55:36 -0600
> Lines: 89
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> X-RFC2646: Format=Flowed; Original
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> Message-ID: <O9wWWELCFHA.2384@TK2MSFTNGP14.phx.gbl>
> Newsgroups: microsoft.public.dotnet.security
> NNTP-Posting-Host: adsl-66-139-197-158.dsl.rcsntx.swbell.net
66.139.197.158
> Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
> Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:8928
> X-Tomcat-NG: microsoft.public.dotnet.security
>
> Consider this:
>
> What if I am logged to a Domain where I have Administrator privileges in
my
> *Local* computer but limited access of files and folders on some domain
> *Server*.
>
> For the sake of the example, lets say that the server has a shared text
file
> with all the employees of the company and their salaries, lest assume
that
> the only person that can change this file is the a Domain Administrator.
>
> Having full control on my *local* computer, I search the memory and find
the
> security Token issued to my computer by my domain controller when I
logged
> on. Once I found it I modify the token by replacing some group entry with
> the domain administrator SID and name (assuming that I know it)
>
> Once my Toke has been modified I request access to the file, I am granted
> access and change my salary so I can retire early.
>
> Is this possible?
>
>
> ""Shawn Farkas [MS]"" <shawnfa@online.microsoft.com> wrote in message
> news:hk8QQoJCFHA.3048@cpmsftngxa10.phx.gbl...
> > If the attacker has access to a debugger so that they can modify
arbitrary
> > bits in your process's memory, then you're hosed anyway. Once you've
> > allowed the attacker that level of control on the machine, they can
> > accomplish pretty much whatever they want. For instance, even if you
> > called a function that returned true for authenticated and false for not
> > based upon some object not stored in your process's memory, the attacker
> > could just set a breakpoint on that functions return instruction, and
flip
> > the bit there.
> >
> > -Shawn
> > http://blogs.msdn.com/shawnfa
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> >
> > Note:
> > For the benefit of the community-at-large, all responses to this message
> > are best directed to the newsgroup/thread from which they originated.
> > --------------------
> >> From: "Rene" <nospam@nospam.com>
> >> Subject: Hacking Windows Security Principal
> >> Date: Tue, 25 Jan 2005 23:30:46 -0600
> >> Lines: 18
> >> X-Priority: 3
> >> X-MSMail-Priority: Normal
> >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> >> X-RFC2646: Format=Flowed; Original
> >> Message-ID: <OvwpZg2AFHA.2676@TK2MSFTNGP12.phx.gbl>
> >> Newsgroups: microsoft.public.dotnet.security
> >> NNTP-Posting-Host: ppp-70-248-50-105.dsl.rcsntx.swbell.net
70.248.50.105
> >> Path:
> >
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
> > phx.gbl
> >> Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:8850
> >> X-Tomcat-NG: microsoft.public.dotnet.security
> >>
> >> According to my research, it looks like I can use the Windows Security
> >> Principal to verify that a user is authenticated or to see if they
belong
> > to
> >> a certain group etc.
> >>
> >> The thing that bothers me is that this object resides in the client
> > computer
> >> memory and everybody knows that this makes this object more vulnerable
to
> >> hacker attacks.
> >>
> >> My question is, how difficult would be for a hacker to go directly to
> > memory
> >> and flip the IsAuthenticated bit from 0 to 1? or go directly through
> > memory
> >> and change a group name from "ZeroControl" to "FullControl"? Once those
> >> changes are made, the attacker would be able to easily bypass my roll
> > base
> >> security and I will be... Oh my, I don't even what to think about that.
> >>
> >> This is just a silly example but I hope it gets the point across, thank
> > you
> >> for any information.
> >>
> >>
> >>
> >
>
>
>
- Next message: William Stacey [MVP]: "Re: Encrypting a string using public key"
- Previous message: William Stacey [MVP]: "Re: Protecting assemblies from being used outside a company/group/team"
- In reply to: Gecko: "Re: Hacking Windows Security Principal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
