lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41A74EEA.4080809@ori.net>
From: mandreko at ori.net (Matt Andreko)
Subject: MS Windows Screensaver Privilege Escalation

Perhaps this is just an amateurish question, but what if I booted off of 
a knoppix cd and replaced the current screensaver with my "specially 
crafted" screensaver?  Or using the bootdisk at 
http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?

I know you may think that this is useless, since if you boot off the cd 
or disk, you already have better access to the machine, however doing 
this method gets you admin access WITHOUT changing the password, correct?

Again, perhaps I'm misunderstanding, but wouldn't this work, and still 
show that the vulnerability in the screensaver code is valid, and needs 
to be updated?  It could allow someone to get local admin access to the 
machine without changing the password.



3APA3A wrote:

> Dear Matthew Walker,
> 
> Permissions  for  HKEY_USERS\Control Panel\Desktop allow modification to
> only members of Administrators and System.
> 
> Power  Users  can  install  software,  so  they  can replace any file in
> SYSTEM32  directory,  including  screensaver.  It  allows  to trojan any
> system  file  (for example, one can replace winspool.exe with cmd.exe to
> obtain  SYSTEM  permissions).  It's  by design and it's documented. Just
> never  assign users in Power Users group, as Microsoft recommends you. I
> see no security vulnerability here.
> 
> --Wednesday, November 24, 2004, 8:36:14 PM, you wrote to full-disclosure@...ts.netsys.com:
> 
> MW> To Whom it May Concern;
> MW> The Original Post is http://www.securityfocus.com/bid/11711
> 
> MW> On Windows XP all releases, when you replace, or change the
> MW> screensaver displayed on the login screen with a specially crafted
> MW> version designed to execute programs, those programs are launched
> MW> under the SYSTEM SID, IE: they are given automatically the highest
> MW> access level avalible to Windows.  This level is not accessible even
> MW> to administrators.
> 
> MW> This flaw is important because while one would need Power User
> MW> privledges or above to change the Login Screensaver, by default, any
> MW> user with the exception of guest can replace the login screensaver
> MW> file with a modified version.  In theory, any determined user could
> MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
> MW> Win2K, but Microsoft has ignored it.
> 
> MW> Sincerly;
> MW> Matt Walker
> 
> MW> _______________________________________________
> MW> Full-Disclosure - We believe in it.
> MW> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ