[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <EC0414CA38D1F34FBA8AEE0D71C6CA3BD3ACA9@CH1PRD0502MB118.namprd05.prod.outlook.com>
Date: Mon, 26 Sep 2011 18:09:07 +0000
From: Steve Syfuhs <steve@...uhs.net>
To: Madhur Ahuja <ahuja.madhur@...il.com>, "security-basics@...urityfocus.com"
<security-basics@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Privilege escalation on Windows using
Binary Planting
Well yeah, if the system that's designed to protect you isn't functioning, then you aren't protected and all sorts of bad things can happen.
When services starts up, the root service executable looks through a registry key to find all the services that should be run. It then executes the value in the key relative to each service based on which account is specified. There is no signature checking or anything funky like that going on. If the path stored in the registry entry is a valid executable, it will get executed.
It is up to the installer to make sure that the service cannot be replaced. This is done by storing it in Program Files, or one of the other recommended locations, which only administrators can access by default. If the executable is stored in another location, it is still up to the installer to set up proper file permissions. Further, only an administrator should be able to start or stop the service.
All of this is up to the installer, and the service itself to handle.
If a service or installer deviates from the prescribed design set out by Microsoft, is it really Windows' fault that it happened? Not really. So, yes you could escalate privilege through this method, but really the failure is by the developer of the service, or by the developer of the installer.
-----Original Message-----
From: listbounce@...urityfocus.com [mailto:listbounce@...urityfocus.com] On Behalf Of Madhur Ahuja
Sent: Sunday, September 25, 2011 2:31 PM
To: security-basics@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access.
There are many services in Windows which run with SYSTEM account.
If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service.
As a restricted user, what's stopping me to do this ?
Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ?
Madhur
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists