lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 19 Sep 2015 22:13:06 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 35): Windows
	Explorer ignores "Run as administrator" ...

Hi @ll,

since Microsoft introduced the security theatre named "user account
control" with Windows Vista users cant start (another instance of)
the Windows Explorer with elevated rights any more: the "Run as
administrator" and the "Run as different user" context menu entries
only start another instance of Windows Explorer with but the
credentials of the logged on (interactive) user.

No, neither starting Windows Explorer per "Explorer.Exe /Separate"
nor setting the following registry entries overcomes this limitation:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"DesktopProcess"=dword:01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SeparateProcess"=dword:01


Microsoft is well aware of this, but still doesnt remove or disable
these dysfunctional context menu entries for Explorer.exe, although
their own user experience interface guidelines request that (context)
menu entries which are not applicable must not be shown or have to be
disabled!

See <https://msdn.microsoft.com/en-us/library/dn742392.aspx>:

| Disable menu items that don't apply to the current context
...
| Remove rather than disable context menu items that don't
| apply to the current context.

or <http://www.microsoft.com/en-us/download/details.aspx?id=2695>

If you want to get rid of "Run as administrator" and "Run as
different user" for Explorer.exe to save yourself, your users and
your support/helpdesk from confusion or frustration add the following
registry entries:

[HKEY_CLASSES_ROOT\exefile\Shell\RunAs]
"AppliesTo"="System.FileName:<>Explorer.Exe"

[HKEY_CLASSES_ROOT\exefile\Shell\RunAsUser]
"AppliesTo"="System.FileName:<>Explorer.Exe"

See <https://msdn.microsoft.com/en-us/library/cc144171.aspx>
and <https://msdn.microsoft.com/en-us/library/bb266512.aspx>
to understand how and why this registry entry works.

JFTR: the context menu entry "Run as administrator" doesnt work at
      all in standard user accounts when UAC is set to "never elevate".
      This is another clear violation of Microsofts own UX guidelines!

stay tuned
Stefan Kanthak

PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
    this and several other missing registry entries which enable
    "Run as administrator" and "Run as different user" for quite some
    file types.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ