[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: mandreko at ori.net (Matt Andreko)
Subject: MS Windows Screensaver Privilege Escalation
I agree that you should restrict the access physically, however if you
can replace that screensaver file, and WindowsXP will execute it as the
system user, is this not a flaw as the original poster intended?
You had stated that replacing the screensaver took special privileges,
however I was showing a way to get around those means. Sure, if I had
physical access to the machine I could do a lot worse, but personally I
feel it's a blended problem. It does need to be restricted physically,
however I don't think Microsoft should be running screensavers which can
easily be replaced as System.
3APA3A wrote:
> Dear Matt Andreko,
>
> Ability to boot machine from bootable to CD is not a problem of Windows
> security, it's more problem of physical security. To prevent your
> machine from booting from bootable CD reliably you can use certified
> BIOS versions (HP and IBM have few), special marks and devices like
> Dallas Lock, Secret Net, etc.
>
> --Friday, November 26, 2004, 6:42:34 PM, you wrote to 3APA3A@...URITY.NNOV.RU:
>
> MA> Perhaps this is just an amateurish question, but what if I booted off of
> MA> a knoppix cd and replaced the current screensaver with my "specially
> MA> crafted" screensaver? Or using the bootdisk at
> MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?
>
> MA> I know you may think that this is useless, since if you boot off the cd
> MA> or disk, you already have better access to the machine, however doing
> MA> this method gets you admin access WITHOUT changing the password, correct?
>
> MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still
> MA> show that the vulnerability in the screensaver code is valid, and needs
> MA> to be updated? It could allow someone to get local admin access to the
> MA> machine without changing the password.
>
>
>
> MA> 3APA3A wrote:
>
>
>>>Dear Matthew Walker,
>>>
>>>Permissions for HKEY_USERS\Control Panel\Desktop allow modification to
>>>only members of Administrators and System.
>>>
>>>Power Users can install software, so they can replace any file in
>>>SYSTEM32 directory, including screensaver. It allows to trojan any
>>>system file (for example, one can replace winspool.exe with cmd.exe to
>>>obtain SYSTEM permissions). It's by design and it's documented. Just
>>>never assign users in Power Users group, as Microsoft recommends you. I
>>>see no security vulnerability here.
>>>
>>>--Wednesday, November 24, 2004, 8:36:14 PM, you wrote to
>>>full-disclosure@...ts.netsys.com:
>>>
>>>MW> To Whom it May Concern;
>>>MW> The Original Post is http://www.securityfocus.com/bid/11711
>>>
>>>MW> On Windows XP all releases, when you replace, or change the
>>>MW> screensaver displayed on the login screen with a specially crafted
>>>MW> version designed to execute programs, those programs are launched
>>>MW> under the SYSTEM SID, IE: they are given automatically the highest
>>>MW> access level avalible to Windows. This level is not accessible even
>>>MW> to administrators.
>>>
>>>MW> This flaw is important because while one would need Power User
>>>MW> privledges or above to change the Login Screensaver, by default, any
>>>MW> user with the exception of guest can replace the login screensaver
>>>MW> file with a modified version. In theory, any determined user could
>>>MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in
>>>MW> Win2K, but Microsoft has ignored it.
>>>
>>>MW> Sincerly;
>>>MW> Matt Walker
>>>
>>>MW> _______________________________________________
>>>MW> Full-Disclosure - We believe in it.
>>>MW> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>>
>>>
>
>
>
>
Powered by blists - more mailing lists