Vulnerability Development mailing list archives
Re: The problem with NT services ...
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 19 Jan 2001 21:25:56 +0300
Dear Balamurugan Koodalingam, There is more cool attack: 1. Install second copy of Windows NT 2. Type "password" then prompted for Administrator's account password 3. Ooops! You did it again! Now you've hacked NT and you know administrator's password. To be serious: on http://www.microsoft.com/technet/security/tools.asp you can find different recommendations on how to set up file permissions for Windows NT Installation, including ones for C2-evaluated configuration. If you follow this configuration nobody will be able to rename any of your system files. There are also different sources where you can learn about setting up auditing on sensitive system files. BTW: proposed C2 isn't most restrictive configuration. You can use more restrictive file permissions which will not allow users to see content and access files of another users in TEMP folder and execute programs from TEMP, profiles and their home folders. Smart user can bypass some of this restrictions but it's good against some viria and trojans. /3APA3A 19.01.2001 18:49, you wrote: The problem with NT services ...; B> Hai! B> One significant problem in using Windows NT service B> application is that the executable file of the service B> application could be replaced with some other B> executable - of course another service application, in B> which one can do whatever he wants. B> I know very well that it is nothing new but just in B> case if you wonder ... B> For example I can write a service application say B> KewlBabe.exe, that will add a user to Administrators B> group and then stops or does whatever. B> Now, if I (logged-in as ordinary user) do the B> following steps, as you may know I can break-in ... B> 1. Rename an automatic service like spoolss.exe (Note: B> in some machines I heared that it is not possible to B> rename spoolss.exe. However, antivirus auto protecting B> services and many other product's automatic services B> executable are always could be renamed, I bet). B> 2. Rename my service KewlBabe.exe to spoolss.exe. B> 3. Restart the system. B> 4. Restore the executable names. B> Cool? B> I can do whatever in my service. B> I have used this method, in our office, to recover B> forgotten or unavailable Admin password, B> couple of times. Yesterday, I was thinking of how to B> prevent this ... B> Restricting folder permission while installing the B> product will not help if installed in the FAT B> partition, right? B> There could be many other ways, but what came to mind B> was ... just opening the service application's B> executable file in the exclusive mode as part of the B> service initialising process. And finally as part of B> clean up close that file handle. That's it. B> In this case I am not able to rename an automatic B> servie application's executable file. B> But I am not sure of the down side of this method. Is B> there any other better way? B> Sincerely, B> Bala. B> Balamurugan Koodalingam, B> HCL Technologies Ltd. B> __________________________________________________ B> Do You Yahoo!? B> Get email at your own domain with Yahoo! Mail. B> http://personal.mail.yahoo.com/
Current thread:
- The problem with NT services ... Balamurugan Koodalingam (Jan 19)
- Re: The problem with NT services ... 3APA3A (Jan 21)
- Re: The problem with NT services ... Maxime Rousseau (Jan 21)
- Re: The problem with NT services ... Pavel Kankovsky (Jan 22)