Full Disclosure mailing list archives
Re: Question for the Windows pros
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 18 Jan 2006 14:01:18 -0600
On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote:
I understand *that*. My question is, what are you granting them "su" *for*? The entire kettle of fish? Or specific tasks. The privilege only allows you to impersonate a *client* (as in server-client), so (I would think) you can't do file browsing or http parsing (or can you?)
Right. Unless the user can find a way of running as a "logged on user" or such. A user might be able to run an exploit script that takes advantage of the ImpersonateClient and launches a cmd.exe locally. Think of Attempted Privilege Execution rather than Attempted Privilege Escalation since you already have the privilege escalated through this right.... just need to find a way to put it to use. Remembering stunts like using the scheduler to run cmd.exe interactively or as a screensaver, getting to the point of doing something useful with that right shouldn't be too hard. What are you granting them su for? Perhaps for a mail migration utility that runs as administrator, but assumes the security context of a user to read email from his mailbox (yeah, admin can do that, this is just an example). Or for running a script remotely against a user workstation that sets certain things in the Registry in the user context (to gain access to the Secure Storage or such).
Unfortunately, in the context of my problem, the users must have this right.
What circumstance requires you to turn that right on, if you don't mind me asking? Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Stuart Dunkeld (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Yvan Boily (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Bernhard Mueller (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Question for the Windows pros Stuart Dunkeld (Jan 18)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Re: Question for the Windows pros Nicolas RUFF (Jan 23)
- Re: Question for the Windows pros Jerome Athias (Jan 19)