lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1137614478.18404.38.camel@localhost>
Date: Wed Jan 18 20:01:31 2006
From: frank at knobbe.us (Frank Knobbe)
Subject: Question for the Windows pros

On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote:
> I understand *that*.  My question is, what are you granting them "su" 
> *for*?  The entire kettle of fish?  Or specific tasks.  The privilege only 
> allows you to impersonate a *client* (as in server-client), so (I would 
> think) you can't do file browsing or http parsing (or can you?)

Right. Unless the user can find a way of running as a "logged on user"
or such. A user might be able to run an exploit script that takes
advantage of the ImpersonateClient and launches a cmd.exe locally. Think
of Attempted Privilege Execution rather than Attempted Privilege
Escalation since you already have the privilege escalated through this
right.... just need to find a way to put it to use. Remembering stunts
like using the scheduler to run cmd.exe interactively or as a
screensaver, getting to the point of doing something useful with that
right shouldn't be too hard.

What are you granting them su for? Perhaps for a mail migration utility
that runs as administrator, but assumes the security context of a user
to read email from his mailbox (yeah, admin can do that, this is just an
example). Or for running a script remotely against a user workstation
that sets certain things in the Registry in the user context (to gain
access to the Secure Storage or such).

> Unfortunately, in the context of my problem, the users must have this 
> right.

What circumstance requires you to turn that right on, if you don't mind
me asking?

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060118/784d2b19/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ