Full Disclosure mailing list archives
Re: MS Windows Screensaver Privilege Escalation
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 25 Nov 2004 13:08:48 +0300
Dear Matthew Walker, Permissions for HKEY_USERS\Control Panel\Desktop allow modification to only members of Administrators and System. Power Users can install software, so they can replace any file in SYSTEM32 directory, including screensaver. It allows to trojan any system file (for example, one can replace winspool.exe with cmd.exe to obtain SYSTEM permissions). It's by design and it's documented. Just never assign users in Power Users group, as Microsoft recommends you. I see no security vulnerability here. --Wednesday, November 24, 2004, 8:36:14 PM, you wrote to full-disclosure () lists netsys com: MW> To Whom it May Concern; MW> The Original Post is http://www.securityfocus.com/bid/11711 MW> On Windows XP all releases, when you replace, or change the MW> screensaver displayed on the login screen with a specially crafted MW> version designed to execute programs, those programs are launched MW> under the SYSTEM SID, IE: they are given automatically the highest MW> access level avalible to Windows. This level is not accessible even MW> to administrators. MW> This flaw is important because while one would need Power User MW> privledges or above to change the Login Screensaver, by default, any MW> user with the exception of guest can replace the login screensaver MW> file with a modified version. In theory, any determined user could MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in MW> Win2K, but Microsoft has ignored it. MW> Sincerly; MW> Matt Walker MW> _______________________________________________ MW> Full-Disclosure - We believe in it. MW> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Патриотизм - это та же религия. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS Windows Screensaver Privilege Escalation Matthew Walker (Nov 24)
- RE: MS Windows Screensaver Privilege Escalation joe (Nov 24)
- RE: [in] MS Windows Screensaver Privilege Escalation Curt Purdy (Nov 24)
- Re: MS Windows Screensaver Privilege Escalation 3APA3A (Nov 25)
- Re: MS Windows Screensaver Privilege Escalation Matt Andreko (Nov 27)
- Re[2]: MS Windows Screensaver Privilege Escalation 3APA3A (Nov 27)
- Re: MS Windows Screensaver Privilege Escalation Matt Andreko (Nov 27)
- Re[2]: MS Windows Screensaver Privilege Escalation 3APA3A (Nov 27)
- Re: MS Windows Screensaver Privilege Escalation David Vincent (Nov 27)
- Re: MS Windows Screensaver Privilege Escalation Matt Andreko (Nov 27)
- Re: MS Windows Screensaver Privilege Escalation Pavel Kankovsky (Nov 28)
- Re: MS Windows Screensaver Privilege Escalation devis (Nov 28)
- Re: MS Windows Screensaver Privilege Escalation Nick FitzGerald (Nov 28)
- Re: MS Windows Screensaver Privilege Escalation Paul Schmehl (Nov 29)
- RE: MS Windows Screensaver Privilege Escalation Kovács László (Nov 29)