| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mandreko at ori.net (Matt Andreko) Subject: MS Windows Screensaver Privilege Escalation I agree that you should restrict the access physically, however if you can replace that screensaver file, and WindowsXP will execute it as the system user, is this not a flaw as the original poster intended? You had stated that replacing the screensaver took special privileges, however I was showing a way to get around those means. Sure, if I had physical access to the machine I could do a lot worse, but personally I feel it's a blended problem. It does need to be restricted physically, however I don't think Microsoft should be running screensavers which can easily be replaced as System. 3APA3A wrote: > Dear Matt Andreko, > > Ability to boot machine from bootable to CD is not a problem of Windows > security, it's more problem of physical security. To prevent your > machine from booting from bootable CD reliably you can use certified > BIOS versions (HP and IBM have few), special marks and devices like > Dallas Lock, Secret Net, etc. > > --Friday, November 26, 2004, 6:42:34 PM, you wrote to 3APA3A@...URITY.NNOV.RU: > > MA> Perhaps this is just an amateurish question, but what if I booted off of > MA> a knoppix cd and replaced the current screensaver with my "specially > MA> crafted" screensaver? Or using the bootdisk at > MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value? > > MA> I know you may think that this is useless, since if you boot off the cd > MA> or disk, you already have better access to the machine, however doing > MA> this method gets you admin access WITHOUT changing the password, correct? > > MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still > MA> show that the vulnerability in the screensaver code is valid, and needs > MA> to be updated? It could allow someone to get local admin access to the > MA> machine without changing the password. > > > > MA> 3APA3A wrote: > > >>>Dear Matthew Walker, >>> >>>Permissions for HKEY_USERS\Control Panel\Desktop allow modification to >>>only members of Administrators and System. >>> >>>Power Users can install software, so they can replace any file in >>>SYSTEM32 directory, including screensaver. It allows to trojan any >>>system file (for example, one can replace winspool.exe with cmd.exe to >>>obtain SYSTEM permissions). It's by design and it's documented. Just >>>never assign users in Power Users group, as Microsoft recommends you. I >>>see no security vulnerability here. >>> >>>--Wednesday, November 24, 2004, 8:36:14 PM, you wrote to >>>full-disclosure@...ts.netsys.com: >>> >>>MW> To Whom it May Concern; >>>MW> The Original Post is http://www.securityfocus.com/bid/11711 >>> >>>MW> On Windows XP all releases, when you replace, or change the >>>MW> screensaver displayed on the login screen with a specially crafted >>>MW> version designed to execute programs, those programs are launched >>>MW> under the SYSTEM SID, IE: they are given automatically the highest >>>MW> access level avalible to Windows. This level is not accessible even >>>MW> to administrators. >>> >>>MW> This flaw is important because while one would need Power User >>>MW> privledges or above to change the Login Screensaver, by default, any >>>MW> user with the exception of guest can replace the login screensaver >>>MW> file with a modified version. In theory, any determined user could >>>MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in >>>MW> Win2K, but Microsoft has ignored it. >>> >>>MW> Sincerly; >>>MW> Matt Walker >>> >>>MW> _______________________________________________ >>>MW> Full-Disclosure - We believe in it. >>>MW> Charter: http://lists.netsys.com/full-disclosure-charter.html >>> >>> > > > >
Powered by blists - more mailing lists