Penetration Testing mailing list archives

Re: priviledge escalation techniques

From: miguel.dilaj () pharma novartis com
Date: Mon, 17 Jan 2005 21:54:24 +0000

Hi jnf!

Good question, I used a tool to write to NTFS volumes, as mentioned in 
point (1) of my post. This was probably not clear in my original post, 
sorry.
And answering another good question you made off-list:

What is the point then?
If you can write to anything on the fs, why not just skip the middle mand
and write a new sam file or just add a new program to run on boot in the
registry/etc. what do you gain by adding extra steps?


Your options are perfectly valid, but much more detectable (IMHO).
With the option of changing sethc.exe you are not running anything extra, 
you are not modifying the SAM (that can count as evidence against you in 
case of problems), and you don't even need to crack passwords.
It's just a CLI as SYSTEM on request ;-)
But as you pointed, the possibilities are endless.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
We need YOU at www.oissg.org!






lists <lists () innocence-lost net>
17/01/2005 19:19

 
        To:     Miguel Dilaj/PH/Novartis@PH
        cc:     pen-test () securityfocus com
        Subject:        Re: priviledge escalation techniques

3) the one I've chosen, similar to (1) above. I've XP with the
Accessibility Tools installed by default. They monitor some keys, and if
for example you press SHIFT 5 times a popup appears where you can

activate

and configure the accessibility tools. The program responsible for that

is

sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not
making IT check if SHIFT was pressed 5 times, but to include that in

some

other part of the OS (kernel? ;-)
So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter
WHAT IS sethc.exe
You guess that, I replaced sethc.exe by a copy of cmd.exe
If I press that BEFORE login, a CLI as SYSTEM is started, I can launch
compmgmt.msc and add myself to the local administrators group (please

note

that if you start it AFTER login, a CLI is started as your user).



How do you suppose one gets write access to sethc.exe without admin privs
in the first place? I cannot overwrite my sethc.exe, nor can I change the
system Path variables, and it gets prepended to my path before user
variables do- are you sure you didn't test this while logged in as an
admin?

jnf

Current thread:

priviledge escalation techniques Dan Rogers (Jan 17)
- Re: priviledge escalation techniques Chuck Herrin (Jan 17)
- <Possible follow-ups>
- Re: priviledge escalation techniques miguel . dilaj (Jan 17)
  - Re: priviledge escalation techniques lists (Jan 18)
  - Re: priviledge escalation techniques jnf (Jan 18)
    - RE: priviledge escalation techniques John Cobb (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
  - Re: priviledge escalation techniques jnf (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- RE: priviledge escalation techniques Marc Maiffret (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Dave Wells (Jan 20)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
  - RE: priviledge escalation techniques Eyal Udassin (Jan 22)
    - Re: priviledge escalation techniques Pieter Danhieux (Jan 23)
    - Re: priviledge escalation techniques Thor (Jan 23)
    - RE: priviledge escalation techniques Eyal Udassin (Jan 23)

(Thread continues...)