Re: priviledge escalation techniques

[lists <lists () innocence-lost net>]

> 3) the one I've chosen, similar to (1) above. I've XP with the
> Accessibility Tools installed by default. They monitor some keys, and if
> for example you press SHIFT 5 times a popup appears where you can activate
> and configure the accessibility tools. The program responsible for that is
> sethc.exe, and the guys at Micro$oft comit the cardinal mistake of not
> making IT check if SHIFT was pressed 5 times, but to include that in some
> other part of the OS (kernel? ;-)
> So if you press SHIFT 5 times, sethc.exe is executed, but doesn't matter
> WHAT IS sethc.exe
> You guess that, I replaced sethc.exe by a copy of cmd.exe
> If I press that BEFORE login, a CLI as SYSTEM is started, I can launch
> compmgmt.msc and add myself to the local administrators group (please note
> that if you start it AFTER login, a CLI is started as your user).


How do you suppose one gets write access to sethc.exe without admin privs
in the first place? I cannot overwrite my sethc.exe, nor can I change the
system Path variables, and it gets prepended to my path before user
variables do- are you sure you didn't test this while logged in as an
admin?

jnf