Re: Windows Elevation of privileges

["Blake Watts" <bwatts () securityinternals com>]

There are many well-known methods of privilege escalation on Windows
NT/2000/XP.  Several, like buffer overflows, are generic and non-Windows
specific.

An example of one specific to Windows is a technique I discovered in 2000,
known as named pipe instance creation race conditions.  Basically, if a
privileged process, like the Service Control Manager, attempts to connect
to a pipe that an attacker can guess and be the first to create it, then
the attacker can impersonate the client (using ImpersonateNamedPipeClient)
to elevate his privileges.

I intend to release a paper documenting the discovery and alleviation of these
sometime within the next few weeks.

Here are some resources for the interim:

http://www.guardent.com/A0108022000.html
http://online.securityfocus.com/archive/1/74523
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull
etin/MS00-053.asp
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

Another interesting privilege escalation bug was discovered by Todd Sabin:
http://razor.bindview.com/publish/advisories/LPCAdvisory.html

Regards,
Blake Watts
http://www.securityinternals.com

----- Original Message -----
From: "Sebastian Muñiz" <smuniz () elinpar com>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, March 12, 2002 11:35 AM
Subject: Windows Elevation of privileges


Does anyone know where can i find some papers about Elevation of privileges
on Windows (NT/2000) or source code of actual exploits of the kind (like
sechole) ??
Thanks!!!!

Sebastian Muñiz

Elinpar S.A..- Ingenieria / Serv. Profesionales