Bugtraq mailing list archives
Re: Escalation of privileges
From: Nicolas Rachinsky <rnicolas () GMX NET>
Date: Tue, 8 Aug 2000 21:44:42 +0200
Exactly the same problem exists with netshield 4.0.3 and VirusscanNT 4.0.3 from Networkassociates. tested on NT4 SP5. Just replace scan32.exe with e.g. cmd.exe schedule a scan some minutes in the future and you'll get a shell running with more privileges you had. I don't know yet, if the shell is running in the system account or the account for the backgroundscanner because we run it in the system account. I think the later one. Nicolas System Administrator ----- Original Message ----- From: Chris Foster <frostman () CAROLINA RR COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Monday, August 07, 2000 6:07 PM Subject: Escalation of privileges
While testing escalation of privileges from a normal user to admin I found that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed this is very simple. Here are the details on how this is done: 1. Logon as a normal user. Try to run windisk from the run prompt and you should get an access denied. 2. Browse to the root directory for the NAV installation and rename navlu32.exe to navlu32.old. Create navlu32.exe that executes the command: net localgroup administrators {name of account to escalate} /ADD 3. Open the Norton Program Scheduler by executing nschednt.exe in the installation directory. Since normal users are restricted as to what they can run. (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule a LiveUpdate for a couple of mins ahead. When your scheduled job runs it will execute your navlu32.exe. Log back on and you now have admin privs and can execute windisk or whatever you like for that matter. This works due to the Norton Program Scheduler running with system privs and a normal user being able to write to the Norton installation directory. Frostman
Current thread:
- Escalation of privileges Chris Foster (Aug 07)
- reporting local security problems for WinNT (Re: Escalation of privileges) Vladimir Dubrovin (Aug 08)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) David LeBlanc (Aug 09)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) William D. Colburn (aka Schlake) (Aug 10)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) Tom Perrine (Aug 11)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) David LeBlanc (Aug 09)
- reporting local security problems for WinNT (Re: Escalation of privileges) Vladimir Dubrovin (Aug 08)
- Re: Escalation of privileges Nicolas Rachinsky (Aug 09)
- <Possible follow-ups>
- Re: Escalation of privileges Mayers, Philip J (Aug 08)
- Re: Escalation of privileges Kenn Humborg (Aug 09)
- Re: Escalation of privileges Adam Richard (Aug 10)