Re: Question for the Windows pros

[Frank Knobbe <frank () knobbe us>]

On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote:
> I understand *that*.  My question is, what are you granting them "su" 
> *for*?  The entire kettle of fish?  Or specific tasks.  The privilege only 
> allows you to impersonate a *client* (as in server-client), so (I would 
> think) you can't do file browsing or http parsing (or can you?)

Right. Unless the user can find a way of running as a "logged on user"
or such. A user might be able to run an exploit script that takes
advantage of the ImpersonateClient and launches a cmd.exe locally. Think
of Attempted Privilege Execution rather than Attempted Privilege
Escalation since you already have the privilege escalated through this
right.... just need to find a way to put it to use. Remembering stunts
like using the scheduler to run cmd.exe interactively or as a
screensaver, getting to the point of doing something useful with that
right shouldn't be too hard.

What are you granting them su for? Perhaps for a mail migration utility
that runs as administrator, but assumes the security context of a user
to read email from his mailbox (yeah, admin can do that, this is just an
example). Or for running a script remotely against a user workstation
that sets certain things in the Registry in the user context (to gain
access to the Secure Storage or such).

> Unfortunately, in the context of my problem, the users must have this 
> right.

What circumstance requires you to turn that right on, if you don't mind
me asking?

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/