Full Disclosure mailing list archives

Re: Question for the Windows pros

From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 18 Jan 2006 17:30:47 -0600

--On Wednesday, January 18, 2006 17:07:23 -0600 Frank Knobbe<frank () knobbe us> wrote:

On Wed, 2006-01-18 at 16:16 -0600, Paul Schmehl wrote:

This means that the exposure, when granting the privilege, is as follows:
1) If you can launch a process on the local machine AND
2) The process has embedded credentials that are different from the user
launching the process THEN
3) The user gains those credentials' privileges ***for the length of
that  process***


Yup. So if your use has that right, any spyware the user downloads via
IE can use that user right to elevate credentials **for the length of
the malware installation**. Does that sound right? And does that sound
like something you'd want to happen?

The spyware has to bring the credentials with it. The user doesn't *have*the credentials. It *gets* them from the process in question. That's abit different. The user has the right to impersonate within the context ofa process. The process must already have the credentials to elevate, orthe user gets nothing (if I'm understanding impersonation correctly.)


If you give that right, or admin privs, why don't you limit that only to
the duration of the software install? It sounded like you were planning
on granting that user right and leaving it in place. If you only grant
it temporarily, the exposure is not great, imho. (Remember, I've been
liberated from Windows for a couple years now ;)

Do you know a way to programmatically grant rights, on the fly, and thentake them away? I know you can do this with RunAs, but that would requirehaving an admin password, in the clear, and readable by AuthenticatedUsers. That ain't gonna happen.

As far as granting the privilege goes, *if* we do it, it will only be inplace long enough to distribute the agents. Then it will be removed. ButI'm reluctant to even do *that* until I'm certain I fully understand theramifications.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Question for the Windows pros, (continued)
- Re: Question for the Windows pros Stuart Dunkeld (Jan 18)
  - Re: Question for the Windows pros Paul Schmehl (Jan 18)
    - Re: Question for the Windows pros Frank Knobbe (Jan 18)
    - Re: Question for the Windows pros Paul Schmehl (Jan 18)
    - Re: Question for the Windows pros Yvan Boily (Jan 18)
    - Re: Question for the Windows pros Paul Schmehl (Jan 18)
    - Re: Question for the Windows pros Dave Korn (Jan 19)
    - Re: Question for the Windows pros Frank Knobbe (Jan 18)
    - Re: Question for the Windows pros Paul Schmehl (Jan 18)
    - Re: Question for the Windows pros Frank Knobbe (Jan 18)
    - Re: Question for the Windows pros Paul Schmehl (Jan 18)
    - Re: Question for the Windows pros Bernhard Mueller (Jan 18)
    - Re: Question for the Windows pros Paul Schmehl (Jan 19)
    - Re: Question for the Windows pros Dave Korn (Jan 19)
    - Re: Question for the Windows pros Dave Korn (Jan 19)
    - Re: Re: Question for the Windows pros Paul Schmehl (Jan 19)
    - Re: Re: Question for the Windows pros Nicolas RUFF (Jan 23)
    - Re: Question for the Windows pros Jerome Athias (Jan 19)
    - Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Question for the Windows pros Nicolas RUFF (Jan 19)
  - Re: Question for the Windows pros Paul Schmehl (Jan 19)