Bugtraq mailing list archives
COM and Windows 2000
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Mon, 6 Sep 1999 03:28:20 +0100
Prediction: COM and DCOM are where the major holes in Windows 2000 are going to be found. As an example on Windows 2000 Professional (Beta 3) Run regsvr32 /n /i:U shell32.dll This registers the shell32.dll - but also note it starts the MSInstaller Service (msiexec.exe). regsrv32.exe loads msi.dll and msi.dll uses COM to COCreate[an]Instance() of of the MSIServer. regsvr32.exe speaks to the SCM (svchost.exe), svchost.exe speaks to services.exe and services.exe starts opens the HKCR\AppID\{000C101...} key and reads in the LocalService value of MSIServer, navigates to the HKLM\CurrentControlSet\Services\MSIServer key and starts the service's image file - msiexec.exe. By changing the LocalService value to Spooler running regsvr32 /n /i:U shell32.dll then starts the Spooler service. Easy or what? Problem 1) Power user has NTFS permissions by default to change spoolsv.exe Problem 2) Power user has the Set Value permission for the HKCR\AppID\{000C101...} registry key. Problem 1 + Problem 2 = Power User to Administrator I haven't tested this yet on Server but I'd imagine this would go for the likes of Backup and Server Operators. I've written (well I wrote 1/10th and the MFC wizard did the rest ;-) an MFC app that will edit the registry (changing MSIServer to Spooler), call COleDispatchDriver cdd; cdd.CreateDispatch(_T("{000C101C-0000-0000-C000-000000000046}")); which starts the spooler service. Copying cmd.exe over spoolsv.exe and running the program drops you into a Command Prompt with system privileges. Talking about copying cmd.exe over spoolsv.exe - the Protect Storage service doesn't like it. It'll pop up a window and tell you to set it back. Humour the pop up and click on OK - see spoolsv.exe? That's your cmd.exe disguised as spoolsv.exe - right click on it and click on Open - winlogon.exe opens it for you - not on your desktop. But who cares - just overwrite spoolsv.exe with a program that'll do the dirty work for you. If anyone wants a copy mail me. Anyway - did I talk about the telnet service and COM? I did in another mail so I won't reiterate here. While we're at it: A few other things to be fixed before the Final Product comes out: Buffer overrun in regsvr32.exe run regsvr32 /n /i:U AAAAAAAAAAlots of AAAAAAs Wouldn't like to have that in an INF file. Buffer overrun in wscript.exe Should a non-power user be able to add another user account using the net user command? Clicking on Start -> Run Explorer looks in the root of the drive for the exe or app for any command run from here eg. C:\ before checking the %systemroot% or %systemroot%\system32 directory. Not good for trojans. Been too long a night - so g'nite Cheers, David Litchfield http://www.arca.com http://www.infowar.co.uk/mnemonix/
Current thread:
- Re: fixing all buffer overflows --- random magin numbers, (continued)
- Re: fixing all buffer overflows --- random magin numbers Peter van Dijk (Sep 12)
- Re: fixing all buffer overflows --- random magin numbers Eric Hutchinson (Sep 12)
- Re: fixing all buffer overflows --- random magin numbers Daniel W. Dulitz x108 (Sep 13)
- Enterprise Overflow Daniel Kerr (Sep 11)
- Re: gftp - ms ftp debug mode Valentin (Sep 12)
- Re: gftp - ms ftp debug mode Max Vision (Sep 12)
- Linux 2.2.12 mini-audit Solar Designer (Sep 13)
- Vulnerability in dtaction Job de Haas (Sep 13)
- Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug UNYUN (Sep 12)
- Accept overflow on Netscape Enterprise Server 3.6 SP2 Nobuo Miwa (Sep 12)
- COM and Windows 2000 Mnemonix (Sep 05)
- Re: COM and Windows 2000 thomasz () HOSTMASTER ORG (Sep 12)