Re: Windows 2000 Runas weirdness

[flume () acm org]

I've noticed that when I try this, there doesn't seem to be any disruption
or problem with the RunAs service (as viewed in the System Information
tool).  I'm no windows expert, but can this be taken to imply the problem
is in the non-privileged RunAs.exe program and not the service?  And, it
would follow, not an immediate concern for escalation of privileges?

-- keith
'shut up!  ain't gonna be no crumpets and tea!'

On Tue, 18 Dec 2001, ian wrote:

> but the RunAs service runs as LocalSystem....
>
> which actually it has to do in order to assign a new token
> to the process it's launching for you (CreateProcessAsUser
> requires SE_TCB_PRIVILEGE)
>
> although you say it's the .exe crashing and not the service...
> interesting
> to try it and see if the service is affected also.. (it runs in
> services.exe apparently)
>
> ian
>
>
> jesperht () hotmail com wrote:
>
> > Hiyas,
> > Here is an interesting bug I found with the
> > Win2k "runas" command.  Could be exploitable, but I
> > dont think that it would do much good
> > as the error that comes up when you issue the
> > command refers to "runas.exe" in the title bar.
> >
> > Heres what happens:
> >
> > C:\>runas /user:administrator
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > Enter password for administrator:(can be any
> > password, doesnt have to be the right one...)
> > Attempting to
> > start "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > A" a
> > s user "administrator"...
> >
> > I then gives a "The instruction at "0x77fcbcd2"
> > referenced memory at "0x00000100". The memory
> > could not be "written"." error.
> >
> > Let me know what you guys think/find out, im
> > curious :-).
> >
> > -Scarabus
> > jesperht () hotmail com