Penetration Testing mailing list archives

RE: priviledge escalation techniques

From: "John Cobb" <johnc () nobytes com>
Date: Mon, 17 Jan 2005 22:44:58 -0000

You could always do the classic 'at 12:00 /interactive cmd.exe' to gain your
self a command prompt with 'SYSTEM' privileges (well with win2k, havent
tested xp)

E.g.:

C:\>at 22:39 /interactive cmd.exe
Added a new job with job ID = 1

C:\>

In a new window...

C:\>whoami
SYSTEM

C:\>

Bing :)

(also works nice with cygwin ;) )

Regards

John Cobb


www.NoBytes.com
 
Web Design, Web Hosting, Hardware, Software, You Name it, if its to do with
IT we can sort it.
 

-----Original Message-----
From: jnf [mailto:lists () innocence-lost net] 
Sent: 17 January 2005 19:45
To: miguel.dilaj () pharma novartis com
Cc: pen-test () securityfocus com
Subject: Re: priviledge escalation techniques

and the guys at Micro$oft comit the cardinal mistake of not making IT 
check if SHIFT was pressed 5 times, but to include that in some other 
part of the OS (kernel? ;-)


And while I sit here eating lunch it occured to me how silly of a statement
that was- consider which is more of an acceptible risk-

scenario 1) sethc.exe is run as a normal user, or rather as the user logged
in- it does not run with any special capabilities, the keyboard driver or
whatever intercepts and detects shift pressed 5 times, or held for X
seconds- however IF someone managed to override your DAC's/file permissions
then they can overwrite the program, however if this occurs- the game is
already up because you had a more critical flaw some place else, and that is
really the way that you lost control.

scenario 2) sethc.exe is always running and monitoring keystrokes looking
for any sequence of keystrokes that it recognizes, in order to do this
either any user has to be able to 'sniff keystrokes', OR, it has to run with
special access allowing the window for abuse to grow bigger- in addition to
this the kernel has to take extra steps in order to pass every keystroke to
userspace, which is going to degrade performance. So here, the simple
program is now running with elevated status and becomes a huge potential for
abuse.

From a perspective of security, which is a better design? scenario 2 is

basically what you are suggesting. I love IT Security as well, but its not
nearly as humorous as It Security 'Professionals'


cheers,
jnf

Current thread:

priviledge escalation techniques Dan Rogers (Jan 17)
- Re: priviledge escalation techniques Chuck Herrin (Jan 17)
- <Possible follow-ups>
- Re: priviledge escalation techniques miguel . dilaj (Jan 17)
  - Re: priviledge escalation techniques lists (Jan 18)
  - Re: priviledge escalation techniques jnf (Jan 18)
    - RE: priviledge escalation techniques John Cobb (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
  - Re: priviledge escalation techniques jnf (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- RE: priviledge escalation techniques Marc Maiffret (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Dave Wells (Jan 20)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
  - RE: priviledge escalation techniques Eyal Udassin (Jan 22)

(Thread continues...)