Security Basics mailing list archives

Re: Admin rights via backdoors

From: "Demonic Software" <demonic.software () gmail com>
Date: Fri, 9 Mar 2007 13:59:12 -0600

It seem like under the general assumption where the developer is using
their own access rights seems flawed, because the developer could code
something in their that performs something like a connect back after a
port knock.

In an example scenario, the developer could employ a listener on a
port, and when a probe or some other msg is sent to that port, the
application sends a shell to the remote host on another port hard
coded into the source.

When the connect back is performed, I think is would be performed with
the privileleges held by the application process that spawns the
shell.  Then depending how the set-up is the developer can possibly
escalate their privileges and set-up their own account.  I am not sure
if this would actually fly in an AD environment, since I have never
worked in an AD environment, so admittedly I could be wrong about this
scenario.

Does this type of scenario fit what you were looking for?

As far as code goes,  I am not sure how to shovel out the shell from
an application, but the process would be the following:

1) Start exe
2) spawn a listener thread on the port
3) other thread does something, the listener thread waits for a knock
at the door
4) listener hear knock, looks at IP addr, starts a connection to IP,
and then a PIPE between a cmd shell IP, while the remote host listens
for the connection with netcat or something

Adam


On 3/9/07, WALI <hkhasgiwale () gmail com> wrote:

Hi Guys

I do understand the risks of seeing open ports on servers using nmap/nessus
but need to demonstrate a concept to my managers, the need for segregating
software developers and production environments, especially pertaining to
an financial application being built in-house.

I maintain that getting admin rights into an application while bypassing
logical access controls flowing down from Active directory or OS level is
trivial for a programmer if he hard codes some backdoor entry ports replete
with usernames and passwords. They disagree that if they have no AD rights
granted on the resource (different AD domains / filers etc), there is no
reason to physically isolate developers from production.

Is my contention conceptually correct? How can I demonstrate this with a
dummy application?

Current thread:

RE: Hacking Book / Information David (Mar 02)
- <Possible follow-ups>
- Re: Hacking Book / Information Gerhard Rickert (Mar 07)
  - Re: Hacking Book / Information Nabil Alsharif (Mar 08)
    - Admin rights via backdoors WALI (Mar 09)
    - RE: Admin rights via backdoors Scott Ramsdell (Mar 09)
    - Re: Admin rights via backdoors Adam Pridgen (Mar 12)
    - Re: Admin rights via backdoors Demonic Software (Mar 09)