Penetration Testing mailing list archives
Re: priviledge escalation techniques
From: jnf <lists () innocence-lost net>
Date: Wed, 19 Jan 2005 17:37:11 -0700 (MST)
Hi again jnf!
Hello again Miguel
a) It's perfectly possible for a process to run with high privileges, and drop the privileges when in the need to do something else. In fact is not only possible, it's common practice, both in the *nix and Windows world.
Agreed, but if its not needed, why do it? I think the kernel intercepting the keys and then kicking the program when necessary is a much better idea from a design standpoint, imho of course.
I blame the fact that WHEN NO ONE IS LOGGED IN, the system is still monitoring the 5 SHIFT sequence, and runs sethc.exe as SYSTEM in that case (you can even launch explorer.exe and have the whole enchilada as SYSTEM). I'm not saying that I'm surprised, considering that the guys at M$ have thrown everything but the kitchen sink into system space...
Well it makes sense though, consider that disabled people have to login as well and if they sit down, they may not be sure what state the computer is in- however a much better idea at this point is to have an equiv of 'nobody' to have it run as when its run. So in that respect, I don't think having it intercept the keys before a login is made is bad, however i will agree doing so as system is generally a bad idea, however if we are to assume that the program is totally secure (hypothetically), then it really becomes a moot point as you have to bypass other security mechanisms in order to take advantage of this. I imagine if you were to ask MS about this, you would probably get a simple answer (if you got one)
b) It's perfectly possible to monitor keystrokes even without administrative privileges, thanks to the way Windows is built. Feel free to try the keylogging functionality of the spanish tool VeoVeo (www.hackindex.org) as a normal user. If you don't understand spanish, don't panic, I made a translation to english, available at http://usuarios.lycos.es/n3kr0m4nc3r/tools/ I know VeoVeo it's not perfect, but it shows the idea, and the source is available if you are not happy with it.
I will relent here because I am not really a windows programmer, and know only the most basic of windows programming (I did something with routes once). I would say here this is bad design, however my base point was working around the least privlidge idea, that the program didn't need to intercept all the keys. And yes, I speak spanish, however no I don't have any windows machines- I will take your word on it, and relent on the subject as I didn't realize you did not need priv's past a regular user account.
I hope you don't think that the above are also silly statements...
I was in an odd mood that day, take nothing I said personal.
Cheers, Miguel Dilaj (Nekromancer, the humorous one)
jnf
Current thread:
- priviledge escalation techniques Dan Rogers (Jan 17)
- Re: priviledge escalation techniques Chuck Herrin (Jan 17)
- <Possible follow-ups>
- Re: priviledge escalation techniques miguel . dilaj (Jan 17)
- Re: priviledge escalation techniques lists (Jan 18)
- Re: priviledge escalation techniques jnf (Jan 18)
- RE: priviledge escalation techniques John Cobb (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- Re: priviledge escalation techniques jnf (Jan 20)
- Re: priviledge escalation techniques miguel . dilaj (Jan 20)
- RE: priviledge escalation techniques Marc Maiffret (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Dave Wells (Jan 20)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
- Re: priviledge escalation techniques Pieter Danhieux (Jan 23)
- Re: priviledge escalation techniques Thor (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
(Thread continues...)