[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Privilege escalation on Windows using
From: Gary Slavin <GaryS () sec-1 ! com>
Date: 2011-09-27 8:25:07
Message-ID: D64535989EA2C84CB4D146A9A98C132B02EC126AA3F3 () exch ! sec-1 ! local
[Download RAW message or body]
the trick is to find one that is writable while logged in as a less priveleged user and then \
overwrite the executable. Anti virus executables are typically a good place to start :)
tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM”
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 704 Console 0 388 K
csrss.exe 752 Console 0 4,032 K
winlogon.exe 776 Console 0 2,904 K
services.exe 820 Console 0 4,612 K
lsass.exe 832 Console 0 1,724 K
ati2evxx.exe 980 Console 0 2,676 K
svchost.exe 1020 Console 0 5,948 K
svchost.exe 1200 Console 0 23,100 K
DLService.exe 1484 Console 0 7,856 K
spoolsv.exe 1848 Console 0 6,992 K
schedul2.exe 2028 Console 0 2,036 K
inetinfo.exe 228 Console 0 10,484 K
mnmsrvc.exe 364 Console 0 3,436 K
rundll32.exe 352 Console 0 3,168 K
SAVAdminService.exe 356 Console 0 2,548 K
ManagementAgentNT.exe 580 Console 0 4,624 K
ALsvc.exe 748 Console 0 944 K
RouterNT.exe 1004 Console 0 4,884 K
vsAOD.Exe 1868 Console 0 4,224 K
C:\Documents and Settings\pentest>
________________________________________
From: Steve Syfuhs [steve@syfuhs.net]
Sent: 26 September 2011 19:09
To: Madhur Ahuja; security-basics@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Privilege escalation on Windows using Binary Planting
Well yeah, if the system that's designed to protect you isn't functioning, then you aren't \
protected and all sorts of bad things can happen.
When services starts up, the root service executable looks through a registry key to find all \
the services that should be run. It then executes the value in the key relative to each service \
based on which account is specified. There is no signature checking or anything funky like \
that going on. If the path stored in the registry entry is a valid executable, it will get \
executed.
It is up to the installer to make sure that the service cannot be replaced. This is done by \
storing it in Program Files, or one of the other recommended locations, which only \
administrators can access by default. If the executable is stored in another location, it is \
still up to the installer to set up proper file permissions. Further, only an administrator \
should be able to start or stop the service.
All of this is up to the installer, and the service itself to handle.
If a service or installer deviates from the prescribed design set out by Microsoft, is it \
really Windows' fault that it happened? Not really. So, yes you could escalate privilege \
through this method, but really the failure is by the developer of the service, or by the \
developer of the installer.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Madhur \
Ahuja
Sent: Sunday, September 25, 2011 2:31 PM
To: security-basics@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to \
get the Administrator access.
There are many services in Windows which run with SYSTEM account.
If there exists even one such service whose executable is not protected by Windows File \
Protection, isn't it possible to execute malicious code (such as gaining Administrator access) \
simply by replacing the service executable with malicious one and then restarting the service.
As a restricted user, what's stopping me to do this ?
Is there any integrity check performed by services.msc or service itself before executing with \
SYSTEM account ?
Madhur
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the \
importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it \
benefits your company and how your customers can tell if a site is secure. You will find out \
how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. \
Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We \
look at how SSL works, how it benefits your company and how your customers can tell if a site \
is secure. You will find out how to test, purchase, install and use a thawte Digital \
Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to \
help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Sec-1 disclaimer
This e-mail and any attached files are confidential and may also be legally privileged. They \
are intended solely for the intended addressee. If you are not the addressee please e-mail it \
back to the sender and then immediately, permanently delete it. Do not read, print, \
re-transmit, store or act in reliance on it. This e-mail may be monitored by Sec-1 Ltd in \
accordance with current regulations. This footnote also confirms that this e-mail message has \
been swept for the presence of computer viruses currently known to Sec-1 Ltd. However, the \
recipient is responsible for virus-checking before opening this message and any attachment. \
Unless expressly stated to the contrary, any views expressed in this message are those of the \
individual sender and may not necessarily reflect the views of Sec-1 Ltd.
Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in England & Wales, \
Registered Office Address: Unit 4, Spring Valley Park, Butler Way, Stanningley, Leeds, LS28 \
6EA.
#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
For details on purchasing MailMarshal or alternative Mail Security products please
contact our Sales Team on 0113 257 8955 Option 1
#####################################################################################
[Attachment #3 (text/html)]
<html dir="ltr"><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style title="owaParaStyle"><!--P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi="x">
<p>the trick is to find one that is writable while logged in as a less priveleged user and then \
overwrite the executable. Anti virus executables are typically a good place to start :)<br> \
<br> tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM”<br>
Image Name \
PID Session Name Session# Mem Usage<br> \
========================= ====== ================ ======== ============<br> System Idle \
Process 0 \
Console \
0 28 K<br> \
System \
4 Console \
0 236 K<br> \
smss.exe \
704 Console \
0 388 K<br> \
csrss.exe \
752 Console \
0 4,032 K<br> \
winlogon.exe \
776 Console \
0 2,904 K<br> \
services.exe \
820 Console \
0 4,612 K<br> \
lsass.exe \
832 Console \
0 1,724 K<br> \
ati2evxx.exe \
980 Console \
0 2,676 K<br> \
svchost.exe \
1020 Console \
0 5,948 K<br> \
svchost.exe \
1200 Console \
0 23,100 K<br> \
DLService.exe \
1484 Console \
0 7,856 K<br> \
spoolsv.exe \
1848 Console \
0 6,992 K<br> \
schedul2.exe \
2028 Console \
0 2,036 K<br> \
inetinfo.exe \
228 Console \
0 10,484 K<br> \
mnmsrvc.exe \
364 Console \
0 3,436 K<br> \
rundll32.exe \
352 Console \
0 3,168 K<br> <strong><font \
color="#ff0000">SAVAdminService.exe 356 \
Console \
0 2,548 K</font></strong><strong><br> \
</strong>ManagementAgentNT.exe 580 \
Console \
0 4,624 K<br> \
ALsvc.exe \
748 Console \
0 944 K<br> \
RouterNT.exe \
1004 Console \
0 4,884 K<br> \
vsAOD.Exe \
1868 Console \
0 4,224 K<br> C:\Documents and Settings\pentest><br>
<br>
________________________________________<br>
From: Steve Syfuhs [steve@syfuhs.net]<br>
Sent: 26 September 2011 19:09<br>
To: Madhur Ahuja; security-basics@securityfocus.com; full-disclosure@lists.grok.org.uk<br>
Subject: RE: [Full-disclosure] Privilege escalation on Windows using \
Binary Planting<br> <br>
Well yeah, if the system that's designed to protect you isn't functioning, then you aren't \
protected and all sorts of bad things can happen.<br> <br>
When services starts up, the root service executable looks through a registry key to find all \
the services that should be run. It then executes the value in the key relative to each service \
based on which account is specified. There is no signature checking or anything funky \
like that going on. If the path stored in the registry entry is a valid executable, it will get \
executed.<br> <br>
It is up to the installer to make sure that the service cannot be replaced. This is done by \
storing it in Program Files, or one of the other recommended locations, which only \
administrators can access by default. If the executable is stored in another location, it is \
still up to the installer to set up proper file permissions. Further, only an administrator \
should be able to start or stop the service.<br> <br>
All of this is up to the installer, and the service itself to handle.<br>
<br>
If a service or installer deviates from the prescribed design set out by Microsoft, is it \
really Windows' fault that it happened? Not really. So, yes you could escalate privilege \
through this method, but really the failure is by the developer of the service, or by the \
developer of the installer.<br> <br>
-----Original Message-----<br>
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Madhur \
Ahuja<br>
Sent: Sunday, September 25, 2011 2:31 PM<br>
To: security-basics@securityfocus.com; full-disclosure@lists.grok.org.uk<br>
Subject: [Full-disclosure] Privilege escalation on Windows using Binary Planting<br>
<br>
Imagine a situation where I have a Windows system with the restricted user access and want to \
get the Administrator access.<br> <br>
There are many services in Windows which run with SYSTEM account.<br>
<br>
If there exists even one such service whose executable is not protected by Windows File \
Protection, isn't it possible to execute malicious code (such as gaining Administrator access) \
simply by replacing the service executable with malicious one and then restarting the \
service.<br> <br>
As a restricted user, what's stopping me to do this ?<br>
<br>
Is there any integrity check performed by services.msc or service itself before executing with \
SYSTEM account ?<br> <br>
Madhur<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: http://lists.grok.org.uk/full-disclosure-charter.html<br>
Hosted and sponsored by Secunia - http://secunia.com/<br>
<br>
------------------------------------------------------------------------<br>
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the \
importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how \
it benefits your company and how your customers can tell if a site is secure. You will find \
out how to test, purchase, install and use a thawte Digital Certificate on your Apache web \
server. Throughout, best practices for set-up are highlighted to help you ensure efficient \
ongoing management of your encryption keys and digital certificates.<br> <br>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1<br>
------------------------------------------------------------------------<br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
Securing Apache Web Server with thawte Digital Certificate<br>
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. \
We look at how SSL works, how it benefits your company and how your customers can tell if a \
site is secure. You will find out how to test, purchase, install and use a thawte Digital \
Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to \
help you ensure efficient ongoing management of your encryption keys and digital \
certificates.<br> <br>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1<br>
------------------------------------------------------------------------</p>
<P style="MARGIN: 0cm 0cm 10pt" class=MsoNormal><FONT face=Arial>Sec-1
disclaimer<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></P>
<P style="MARGIN: 0cm 0cm 10pt" class=MsoNormal><FONT face=Arial>This e-mail and
any attached files are confidential and may also be legally privileged. They are
intended solely for the intended addressee. If you are not the addressee please
e-mail it back to the sender and then immediately, permanently delete it. Do not
read, print, re-transmit, store or act in reliance on it. This e-mail may be
monitored by Sec-1 Ltd in accordance with current regulations. This footnote
also confirms that this e-mail message has been swept for the presence of
computer viruses currently known to Sec-1 Ltd. However, the recipient is
responsible for virus-checking before opening this message and any attachment.
Unless expressly stated to the contrary, any views expressed in this message are
those of the individual sender and may not necessarily reflect the views of
Sec-1 Ltd.<o:p></o:p></FONT></P>
<P style="MARGIN: 0cm 0cm 10pt" class=MsoNormal><o:p><FONT
face=Arial> </FONT></o:p></P>
<P style="MARGIN: 0cm 0cm 10pt" class=MsoNormal><FONT face=Arial>Registered
Name: Sec-1 Ltd, Registration Number: 4138637, Registered in England &
Wales, Registered Office Address: Unit 4, Spring Valley Park, Butler Way,
Stanningley, Leeds, LS28 6EA.<o:p></o:p></FONT></P>
<FONT face=Arial><FONT size=2>
<HR>
<FONT color=#808080><BR>Scanned by</FONT> <FONT
color=#4f1f91><STRONG>MailMarshal</STRONG></FONT> <FONT color=#808080>- M86
Security's comprehensive email content security solution. For details on
purchasing MailMarshal or alternative Mail Security products please contact our
Sales Team on 0113 257 8955 Option 1</FONT></FONT><BR><BR><FONT
color=#400080><STRONG></STRONG></FONT><FONT size=2>
<HR>
</FONT></FONT>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1839015970==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic