lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue May 31 22:22:14 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: [Windows XP] possible privilege escalation

Pif Gadget wrote:

>
>> are you sure you didn't launch wmplayer form the setup process 
>> (something
>> like: start wmplayer when setup is complete).
>
>
> Hmm, the setup program (.exe which runs an .msi) installs a classic 
> "annoying" developpement app (the other day it was some Microsoft 
> Office suite product). I doubt it would launch WMP for any reason, if 
> it's what you meant.
> To get rid of the doubt, I just retried the installation process being 
> logged in as Admin, and nope, it didn't launch WMP.
>
>
>

Just guessing here, but is it possible that the setup program could have 
tried to take ownership of the running process in order to ensure that 
an installation started in this way would complete successfully?

I'm not sure precisely how this could be done or that it would have been 
done in this package, but it makes the most sense out of any scenario 
that I can think of.

In either case, I'm not sure that it's a privelege escalation per-se for 
the reason that it required you having the administrator account in the 
first place to be able to escalate the process' priveleges.  Where that 
could be dangerous is if an administrator got tricked into running an 
executable that escalated the priveleges of a malicious program, but 
once you get them to run that type of code you've got other options 
available to you that will probably be easier to utilize.  Not that I 
can't see this being used in nasty ways or anything...

             -Barry

Powered by blists - more mailing lists