Full Disclosure mailing list archives
Re: Question for the Windows pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 19 Jan 2006 10:23:38 -0600
--On Thursday, January 19, 2006 08:20:37 +0100 Bernhard Mueller <research () sec-consult com> wrote:
When you say "manages to make a process with admin rights connect", you are referring to the Local Administrator account on the machine in question, correct?Hello, The ImpersonateClient API does not require that credentials are embedded into the program. A call to ImpersonateClient allow a server to "impersonate" the client when it receives a local connection, e.g. via a named pipe. It is mostly used by servers to DROP their privileges to that of the connecting user if they are running with administrative privileges. A security issue with ImpersonateClient arises if there's no error checking on the ImpersonateClient call and the process runs without realizing that it is still SYSTEM. Another issue would be an unprivileged client with the ImpersonateClient privilege, if an attacker manages to make a process with admin rights connect to that client. This is why normal users do not have this right by default.
So far, from what I understand, granting this privilege to a User means that *if* a process with higher privileges can connect to the computer in question, the User's privileges will be elevated through impersonation. If this is the case, then the security risk is minimal, I would think.
I would welcome suggestions regarding scenarios where this could be used to exploit a box. ISTM if the connecting process already has the admin rights, elevating the User's rights through impersonation merely elevates the User to the same level of privilege that the process already has.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Question for the Windows pros, (continued)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Yvan Boily (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Frank Knobbe (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 18)
- Re: Question for the Windows pros Bernhard Mueller (Jan 18)
- Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Question for the Windows pros Dave Korn (Jan 19)
- Re: Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Re: Question for the Windows pros Nicolas RUFF (Jan 23)
- Re: Question for the Windows pros Jerome Athias (Jan 19)
- Re: Question for the Windows pros Paul Schmehl (Jan 19)
- Re: Question for the Windows pros Paul Schmehl (Jan 19)