Penetration Testing mailing list archives
Re: priviledge escalation techniques
From: miguel.dilaj () pharma novartis com
Date: Mon, 17 Jan 2005 22:09:41 +0000
Hi again jnf! I'll provide you 2 answers, then you can investigate yourself. a) It's perfectly possible for a process to run with high privileges, and drop the privileges when in the need to do something else. In fact is not only possible, it's common practice, both in the *nix and Windows world. I blame the fact that WHEN NO ONE IS LOGGED IN, the system is still monitoring the 5 SHIFT sequence, and runs sethc.exe as SYSTEM in that case (you can even launch explorer.exe and have the whole enchilada as SYSTEM). I'm not saying that I'm surprised, considering that the guys at M$ have thrown everything but the kitchen sink into system space... b) It's perfectly possible to monitor keystrokes even without administrative privileges, thanks to the way Windows is built. Feel free to try the keylogging functionality of the spanish tool VeoVeo (www.hackindex.org) as a normal user. If you don't understand spanish, don't panic, I made a translation to english, available at http://usuarios.lycos.es/n3kr0m4nc3r/tools/ I know VeoVeo it's not perfect, but it shows the idea, and the source is available if you are not happy with it. I hope you don't think that the above are also silly statements... Cheers, Miguel Dilaj (Nekromancer, the humorous one) Vice-President of IT Security Research, OISSG (the funny organization) We need YOU at www.oissg.org! jnf <lists () innocence-lost net> 17/01/2005 19:45 To: Miguel Dilaj/PH/Novartis@PH cc: pen-test () securityfocus com Subject: Re: priviledge escalation techniques
and the guys at Micro$oft comit the cardinal mistake of not making IT check if SHIFT was pressed 5 times, but to include that in
some
other part of the OS (kernel? ;-)
And while I sit here eating lunch it occured to me how silly of a statement that was- consider which is more of an acceptible risk- scenario 1) sethc.exe is run as a normal user, or rather as the user logged in- it does not run with any special capabilities, the keyboard driver or whatever intercepts and detects shift pressed 5 times, or held for X seconds- however IF someone managed to override your DAC's/file permissions then they can overwrite the program, however if this occurs- the game is already up because you had a more critical flaw some place else, and that is really the way that you lost control. scenario 2) sethc.exe is always running and monitoring keystrokes looking for any sequence of keystrokes that it recognizes, in order to do this either any user has to be able to 'sniff keystrokes', OR, it has to run with special access allowing the window for abuse to grow bigger- in addition to this the kernel has to take extra steps in order to pass every keystroke to userspace, which is going to degrade performance. So here, the simple program is now running with elevated status and becomes a huge potential for abuse.
From a perspective of security, which is a better design? scenario 2 is
basically what you are suggesting. I love IT Security as well, but its not nearly as humorous as It Security 'Professionals' cheers, jnf
Current thread:
- priviledge escalation techniques Dan Rogers (Jan 17)
- Re: priviledge escalation techniques Chuck Herrin (Jan 17)
- <Possible follow-ups>
- Re: priviledge escalation techniques miguel . dilaj (Jan 17)
- Re: priviledge escalation techniques lists (Jan 18)
- Re: priviledge escalation techniques jnf (Jan 18)
- RE: priviledge escalation techniques John Cobb (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- Re: priviledge escalation techniques jnf (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- RE: priviledge escalation techniques Marc Maiffret (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Dave Wells (Jan 20)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
- Re: priviledge escalation techniques Pieter Danhieux (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
(Thread continues...)