lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 May 2006 01:51:01 +0200
From: "Brian L. Walche" <gsw@...tlesecurity.com>
To: "David Litchfield" <davidl@...software.com>,
	bugtraq@...urityfocus.com
Subject: Re[2]: The Weakness of Windows Impersonation Model



thanks for reference David. As advisory notes impersonation
implications are not something new. We would like to stress the fact
of how easy it is to exploit by two notable samples.
- An attacker can reliably elevate a context running on behalf of
Network Service acccount. For example, by default, IIS 6.0 runs Worker
Process as Network Service. So an attacker who able to upload an ASP
script can gain administrative privileges.
- MS SQL service context is elevated up to LocalSystem regardless
account it runs.

These are purely practical exploitations for Windows 2003 in default
configuration without additional pre-requirements. We provide demo
tools exploiting these elevations as a part of our products evaluation
procedure.

Additionally, we want to stress the obscurity of nearly all "official" manuals
that declare Network Service as non-privileged account, a quote:
“The new Network Service account … has a greatly reduced
privilege level on the server itself and, therefore, does not have
local administrator privileges.”

In fact, provided easiness of Network Service elevation and some
additional permissions, you may consider Network Service account as
an equivalent of LocalSystem.

Even if Vista would address certain issues, how long we have to wait
for Windows 2003 successor - Vista Server..


Brian L. Walche,
Know the Fact - http://www.gentlesecurity.com/knowthefacts.html
GentleSecurity S.a.r.l.
www.gentlesecurity.com


> Hi Brian,
> I wrote a paper on this subject last year, "Snagging Security Tokens to
> Elevate Privileges"
> (http://www.databasesecurity.com/dbsec-briefs.htm) after 
> Tim Mullen and thrashed out a few details at Blackhat last year over a few
> White Russians. The paper discusses the problem in the context of database
> servers and examines the LogonUser() and AcceptSecurityContext() functions.
> I believe Longhorn/Vista will address many of issues that currently affect
> impersonation.
> Cheers,
> David Litchfield
> http://www.databasesecurity.com/
> http://www.ngssoftware.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ