Re: MS Windows Screensaver Privilege Escalation

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Matthew Walker,

Permissions  for  HKEY_USERS\Control Panel\Desktop allow modification to
only members of Administrators and System.

Power  Users  can  install  software,  so  they  can replace any file in
SYSTEM32  directory,  including  screensaver.  It  allows  to trojan any
system  file  (for example, one can replace winspool.exe with cmd.exe to
obtain  SYSTEM  permissions).  It's  by design and it's documented. Just
never  assign users in Power Users group, as Microsoft recommends you. I
see no security vulnerability here.

--Wednesday, November 24, 2004, 8:36:14 PM, you wrote to full-disclosure () lists netsys com:

MW> To Whom it May Concern;
MW> The Original Post is http://www.securityfocus.com/bid/11711

MW> On Windows XP all releases, when you replace, or change the
MW> screensaver displayed on the login screen with a specially crafted
MW> version designed to execute programs, those programs are launched
MW> under the SYSTEM SID, IE: they are given automatically the highest
MW> access level avalible to Windows.  This level is not accessible even
MW> to administrators.

MW> This flaw is important because while one would need Power User
MW> privledges or above to change the Login Screensaver, by default, any
MW> user with the exception of guest can replace the login screensaver
MW> file with a modified version.  In theory, any determined user could
MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
MW> Win2K, but Microsoft has ignored it.

MW> Sincerly;
MW> Matt Walker

MW> _______________________________________________
MW> Full-Disclosure - We believe in it.
MW> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
Патриотизм - это та же религия. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html