Security Basics mailing list archives
Re: Admin rights via backdoors
From: "Demonic Software" <demonic.software () gmail com>
Date: Fri, 9 Mar 2007 13:59:12 -0600
It seem like under the general assumption where the developer is using their own access rights seems flawed, because the developer could code something in their that performs something like a connect back after a port knock. In an example scenario, the developer could employ a listener on a port, and when a probe or some other msg is sent to that port, the application sends a shell to the remote host on another port hard coded into the source. When the connect back is performed, I think is would be performed with the privileleges held by the application process that spawns the shell. Then depending how the set-up is the developer can possibly escalate their privileges and set-up their own account. I am not sure if this would actually fly in an AD environment, since I have never worked in an AD environment, so admittedly I could be wrong about this scenario. Does this type of scenario fit what you were looking for? As far as code goes, I am not sure how to shovel out the shell from an application, but the process would be the following: 1) Start exe 2) spawn a listener thread on the port 3) other thread does something, the listener thread waits for a knock at the door 4) listener hear knock, looks at IP addr, starts a connection to IP, and then a PIPE between a cmd shell IP, while the remote host listens for the connection with netcat or something Adam On 3/9/07, WALI <hkhasgiwale () gmail com> wrote:
Hi Guys I do understand the risks of seeing open ports on servers using nmap/nessus but need to demonstrate a concept to my managers, the need for segregating software developers and production environments, especially pertaining to an financial application being built in-house. I maintain that getting admin rights into an application while bypassing logical access controls flowing down from Active directory or OS level is trivial for a programmer if he hard codes some backdoor entry ports replete with usernames and passwords. They disagree that if they have no AD rights granted on the resource (different AD domains / filers etc), there is no reason to physically isolate developers from production. Is my contention conceptually correct? How can I demonstrate this with a dummy application?
Current thread:
- RE: Hacking Book / Information David (Mar 02)
- <Possible follow-ups>
- Re: Hacking Book / Information Gerhard Rickert (Mar 07)
- Re: Hacking Book / Information Nabil Alsharif (Mar 08)
- Admin rights via backdoors WALI (Mar 09)
- RE: Admin rights via backdoors Scott Ramsdell (Mar 09)
- Re: Admin rights via backdoors Adam Pridgen (Mar 12)
- Re: Admin rights via backdoors Demonic Software (Mar 09)
- Re: Hacking Book / Information Nabil Alsharif (Mar 08)