Penetration Testing mailing list archives
Re: priviledge escalation techniques
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Thu, 27 Jan 2005 08:47:17 +0100
> This begs the question, does the user have the privilege to stop and > start services? And can the user change the contents of these > environmental variables?1/ Services are like any Windows object, they are protected by DACL/SACL. You can list user rights on services using many tools, such as the SC command from Windows Resource Kit:
C:\>sc sdshow alerter D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)[ This is SDDL language, have a look on Google or MSDN if you want to know more ]
There has been a thread recently on the subject of services ACL: http://sainstitute.org/archive/1/378514/2004-10-13/2004-10-19/0And yes, users have the right to start/stop “some” services. I cannot remember the full list right now, but it is around 10 services.
2/ Did someone mention that the default screen saver will run as SYSTEM when no one is logged on? This technique still requires "off line" access to the NTFS file system, though.
3/ I think the conclusion of this thread is that Windows is quite a secure OS; you need a "real" exploit to increase your user rights.
However there has always been many more local exploits than remote. Remember POSIX and OS/2 subsystems exploitation, Debugging Subsystem exploitation (DebPloit), 16-bit subsystem exploitation (NTVDM), predictable named pipes impersonation, and the quite new Shatter Attacks that hold endless possibilities...
My favorite is: F1/Jump to URL.../CMD.EXEtargeting a window running under the SYSTEM context. It works well against antivirus, personal firewalls and the like.
http://lists.virus.org/bugtraq-0310/msg00230.html Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail: nicolas.ruff (at) edelweb.fr -----------------------------------
Current thread:
- RE: priviledge escalation techniques, (continued)
- RE: priviledge escalation techniques Michael Howard (Jan 20)
- Re: priviledge escalation techniques BSK (Jan 20)
- RE: priviledge escalation techniques Roy Stapleton (Jan 21)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
- Re: priviledge escalation techniques Pieter Danhieux (Jan 23)
- Re: priviledge escalation techniques Thor (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 23)
- Re: priviledge escalation techniques Thor (Jan 23)
- RE: priviledge escalation techniques Eyal Udassin (Jan 22)
- RE: priviledge escalation techniques BSK (Jan 24)
- Re: priviledge escalation techniques Nicolas RUFF (lists) (Jan 27)