Bugtraq mailing list archives

COM and Windows 2000

From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Mon, 6 Sep 1999 03:28:20 +0100


Prediction: COM and DCOM are where the major holes in Windows 2000 are going
to be found.

As an example on Windows 2000 Professional (Beta 3)
Run regsvr32 /n /i:U shell32.dll
This registers the shell32.dll - but also note it starts the MSInstaller
Service (msiexec.exe). regsrv32.exe loads msi.dll and msi.dll uses COM to
COCreate[an]Instance() of of the MSIServer. regsvr32.exe speaks to the SCM
(svchost.exe), svchost.exe speaks to services.exe and services.exe starts
opens the HKCR\AppID\{000C101...} key and reads in the LocalService value of
MSIServer, navigates to the HKLM\CurrentControlSet\Services\MSIServer key
and starts the service's image file - msiexec.exe. By changing the
LocalService value to Spooler running  regsvr32 /n /i:U shell32.dll then
starts the Spooler service. Easy or what?

Problem 1) Power user has NTFS permissions by default to change spoolsv.exe
Problem 2) Power user has the Set Value permission for the
HKCR\AppID\{000C101...} registry key.

Problem 1 + Problem 2 = Power User to Administrator

I haven't tested this yet on Server but I'd imagine this would go for the
likes of Backup and Server Operators.
I've written (well I wrote 1/10th and the MFC wizard did the rest ;-) an MFC
app that will edit the registry (changing MSIServer to Spooler), call

COleDispatchDriver cdd;
cdd.CreateDispatch(_T("{000C101C-0000-0000-C000-000000000046}"));

which starts the spooler service. Copying cmd.exe over spoolsv.exe and
running the program drops you into a Command Prompt with system privileges.

Talking about copying cmd.exe over spoolsv.exe - the Protect Storage service
doesn't like it. It'll pop up a window and tell you to set it back. Humour
the pop up and click on OK - see spoolsv.exe? That's your cmd.exe disguised
as spoolsv.exe - right click on it and click on Open - winlogon.exe opens it
for you - not on your desktop. But who cares - just overwrite spoolsv.exe
with a program that'll do the dirty work for you.

If anyone wants a copy mail me.

Anyway - did I talk about the telnet service and COM? I did in another mail
so I won't reiterate here.

While we're at it: A few other things to be fixed before the Final Product
comes out:

Buffer overrun in regsvr32.exe
run regsvr32 /n /i:U AAAAAAAAAAlots of AAAAAAs
Wouldn't like to have that in an INF file.

Buffer overrun in wscript.exe

Should a non-power user be able to add another user account using the net
user command?

Clicking on Start -> Run
Explorer looks in the root of the drive for the exe or app for any command
run from here eg. C:\ before checking the %systemroot% or
%systemroot%\system32 directory. Not good for trojans.

Been too long a night - so g'nite
Cheers,
David Litchfield
http://www.arca.com
http://www.infowar.co.uk/mnemonix/

Current thread:

Re: fixing all buffer overflows --- random magin numbers, (continued)
- - - Re: fixing all buffer overflows --- random magin numbers Peter van Dijk (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Eric Hutchinson (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Daniel W. Dulitz x108 (Sep 13)
    - Enterprise Overflow Daniel Kerr (Sep 11)
    - Re: gftp - ms ftp debug mode Valentin (Sep 12)
    - Re: gftp - ms ftp debug mode Max Vision (Sep 12)
    - Linux 2.2.12 mini-audit Solar Designer (Sep 13)
    - Vulnerability in dtaction Job de Haas (Sep 13)
    - Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug UNYUN (Sep 12)
    - Accept overflow on Netscape Enterprise Server 3.6 SP2 Nobuo Miwa (Sep 12)
  - COM and Windows 2000 Mnemonix (Sep 05)
    - Re: COM and Windows 2000 thomasz () HOSTMASTER ORG (Sep 12)