Re: priviledge escalation techniques

["Nicolas RUFF (lists)" <ruff.lists () edelweb fr>]

> This begs the question, does the user have the privilege to stop and
> start services? And can the user change the contents of these
> environmental variables?

1/ Services are like any Windows object, they are protected by 
DACL/SACL. You can list user rights on services using many tools, such 
as the SC command from Windows Resource Kit:

C:\>sc sdshow alerter
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

[ This is SDDL language, have a look on Google or MSDN if you want to 
know more ]

There has been a thread recently on the subject of services ACL:
http://sainstitute.org/archive/1/378514/2004-10-13/2004-10-19/0

And yes, users have the right to start/stop “some” services. I cannot 
remember the full list right now, but it is around 10 services.


2/ Did someone mention that the default screen saver will run as SYSTEM 
when no one is logged on? This technique still requires "off line" 
access to the NTFS file system, though.


3/ I think the conclusion of this thread is that Windows is quite a 
secure OS; you need a "real" exploit to increase your user rights.

However there has always been many more local exploits than remote. 
Remember POSIX and OS/2 subsystems exploitation, Debugging Subsystem 
exploitation (DebPloit), 16-bit subsystem exploitation (NTVDM), 
predictable named pipes impersonation, and the quite new Shatter Attacks 
that hold endless possibilities...

My favorite is:
F1/Jump to URL.../CMD.EXE
targeting a window running under the SYSTEM context. It works well 
against antivirus, personal firewalls and the like.

http://lists.virus.org/bugtraq-0310/msg00230.html

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail: nicolas.ruff (at) edelweb.fr
-----------------------------------