| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 11 Mar 2006 10:29:28 -0000 From: yourname@...rdomain.com To: bugtraq@...urityfocus.com Subject: Copy protection scheme SafeDisc allows privilege escalation I have a found a serious flaw in the well-known and widely deployed copy protection scheme SafeDisc. The issues arrises from the how the installation of the driver secdrv.sys is managed. When installed, the associated driver service is assigned the SE_CHANGE_CONFIG flag, which means that any user is able to modify the start-up behaviour (automatic, manually, on-demand, system, boot). Luckily the default installation of Windows XP which also ships the secdrv.sys driver (bad thing, Microsoft!) is not vulnerable. The bad thing is that, not so well documented, it also allows the user to change the binary that is assiocated with that service. The exploit is obvious: change the configuration to point at your binary, change the start-up behaviour to what you like (means: automatically, system or boot) and wait until the next reboot. Tadaa, full SYSTEM access. This is just one instance of a well-known class of exploits. See http://seclists.org/lists/fulldisclosure/2006/Feb/0231.html http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf http://www.microsoft.com/technet/security/advisory/914457.mspx http://www.securityfocus.com/bid/16472 for other known vulnerable services, detailed description and the srvcheck2.exe utility.
Powered by blists - more mailing lists