Re: The problem with NT services ...

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Balamurugan Koodalingam,

There is more cool attack:

1. Install second copy of Windows NT
2. Type "password" then prompted for Administrator's account password
3.  Ooops!  You  did  it  again!  Now  you've  hacked  NT and you know
administrator's password.

To  be serious: on http://www.microsoft.com/technet/security/tools.asp
you  can  find  different  recommendations  on  how  to  set  up  file
permissions   for   Windows   NT   Installation,  including  ones  for
C2-evaluated  configuration.  If  you follow this configuration nobody
will be able to rename any of your system files.

There  are also different sources where you can learn about setting up
auditing on sensitive system files.

BTW:  proposed  C2  isn't  most restrictive configuration. You can use
more  restrictive  file  permissions which will not allow users to see
content  and  access files of another users in TEMP folder and execute
programs  from  TEMP,  profiles and their home folders. Smart user can
bypass  some of this restrictions but it's good against some viria and
trojans.

/3APA3A


19.01.2001 18:49, you wrote: The problem with NT services ...;

B> Hai!

B> One significant problem in using Windows NT service
B> application is that the executable file of the service
B> application could be replaced with some other
B> executable - of course another service application, in
B> which one can do whatever he wants.

B> I know very well that it is nothing new but just in
B> case if you wonder ...

B> For example I can write a service application say
B> KewlBabe.exe, that will add a user to Administrators
B> group and then stops or does whatever.

B> Now, if I (logged-in as ordinary user) do the
B> following steps, as you may know I can break-in ...

B> 1. Rename an automatic service like spoolss.exe (Note:
B> in some machines I heared that it is not possible to
B> rename spoolss.exe. However, antivirus auto protecting
B> services and many other product's automatic services
B> executable are always could be renamed, I bet).
B> 2. Rename my service KewlBabe.exe to spoolss.exe.
B> 3. Restart the system.
B> 4. Restore the executable names.

B> Cool?

B> I can do whatever in my service.

B> I have used this method, in our office, to recover
B> forgotten or unavailable Admin password,

B> couple of times. Yesterday, I was thinking of how to
B> prevent this ...

B> Restricting folder permission while installing the
B> product will not help if installed in the FAT
B> partition, right?

B> There could be many other ways, but what came to mind
B> was ... just opening the service application's
B> executable file in the exclusive mode as part of the
B> service initialising process. And finally as part of
B> clean up close that file handle. That's it.

B> In this case I am not able to rename an automatic
B> servie application's executable file.

B> But I am not sure of the down side of this method. Is
B> there any other better way?

B> Sincerely,
B> Bala.

B> Balamurugan Koodalingam,
B> HCL Technologies Ltd.


B> __________________________________________________
B> Do You Yahoo!?
B> Get email at your own domain with Yahoo! Mail.
B> http://personal.mail.yahoo.com/