lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 4 Oct 2011 08:06:34 -0700
From: David Amistoso <david.amistoso@...il.com>
To: Gary Slavin <GaryS@...-1.com>
Cc: Steve Syfuhs <steve@...uhs.net>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"security-basics@...urityfocus.com" <security-basics@...urityfocus.com>
Subject: Re: Privilege escalation on Windows using Binary
	Planting

Unfortunately, on W7 and any other box with proper restrictions, you need to
run that command as admin to get the full result set.

If you are an unprivileged user looking for a process to escalate to:
tasklist /v /fi "USERNAME ne %USERNAME%"
or
tasklist /v| find "Unknown         N/A"

Will give you a good place to start looking.

On Tue, Sep 27, 2011 at 1:25 AM, Gary Slavin <GaryS@...-1.com> wrote:

>  the trick is to find one that is writable while logged in as a less
> priveleged user and then overwrite the executable. Anti virus executables
> are typically a good place to start :)
>
> tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM”
> Image Name                   PID Session Name     Session#    Mem Usage
> ========================= ====== ================ ======== ============
> System Idle Process            0 Console                 0         28 K
> System                         4 Console                 0        236 K
> smss.exe                     704 Console                 0        388 K
> csrss.exe                    752 Console                 0      4,032 K
> winlogon.exe                 776 Console                 0      2,904 K
> services.exe                 820 Console                 0      4,612 K
> lsass.exe                    832 Console                 0      1,724 K
> ati2evxx.exe                 980 Console                 0      2,676 K
> svchost.exe                 1020 Console                 0      5,948 K
> svchost.exe                 1200 Console                 0     23,100 K
> DLService.exe               1484 Console                 0      7,856 K
> spoolsv.exe                 1848 Console                 0      6,992 K
> schedul2.exe                2028 Console                 0      2,036 K
> inetinfo.exe                 228 Console                 0     10,484 K
> mnmsrvc.exe                  364 Console                 0      3,436 K
> rundll32.exe                 352 Console                 0      3,168 K
> *SAVAdminService.exe          356 Console                 0      2,548 K**
> *ManagementAgentNT.exe        580 Console                 0      4,624 K
> ALsvc.exe                    748 Console                 0        944 K
> RouterNT.exe                1004 Console                 0      4,884 K
> vsAOD.Exe                   1868 Console                 0      4,224 K
> C:\Documents and Settings\pentest>
>
> ________________________________________
> From: Steve Syfuhs [steve@...uhs.net]
> Sent: 26 September 2011 19:09
> To: Madhur Ahuja; security-basics@...urityfocus.com;
> full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] Privilege escalation on Windows using
> Binary     Planting
>
>
> Well yeah, if the system that's designed to protect you isn't functioning,
> then you aren't protected and all sorts of bad things can happen.
>
> When services starts up, the root service executable looks through a
> registry key to find all the services that should be run. It then executes
> the value in the key relative to each service based on which account is
> specified.  There is no signature checking or anything funky like that going
> on. If the path stored in the registry entry is a valid executable, it will
> get executed.
>
> It is up to the installer to make sure that the service cannot be replaced.
> This is done by storing it in Program Files, or one of the other recommended
> locations, which only administrators can access by default. If the
> executable is stored in another location, it is still up to the installer to
> set up proper file permissions. Further, only an administrator should be
> able to start or stop the service.
>
> All of this is up to the installer, and the service itself to handle.
>
> If a service or installer deviates from the prescribed design set out by
> Microsoft, is it really Windows' fault that it happened? Not really. So, yes
> you could escalate privilege through this method, but really the failure is
> by the developer of the service, or by the developer of the installer.
>
> -----Original Message-----
> From: listbounce@...urityfocus.com [mailto:listbounce@...urityfocus.com]
> On Behalf Of Madhur Ahuja
> Sent: Sunday, September 25, 2011 2:31 PM
> To: security-basics@...urityfocus.com; full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Privilege escalation on Windows using Binary
> Planting
>
> Imagine a situation where I have a Windows system with the restricted user
> access and want to get the Administrator access.
>
> There are many services in Windows which run with SYSTEM account.
>
> If there exists even one such service whose executable is not protected by
> Windows File Protection, isn't it possible to execute malicious code (such
> as gaining Administrator access) simply by replacing the service executable
> with malicious one and then restarting the service.
>
> As a restricted user, what's stopping me to do this ?
>
> Is there any integrity check performed by services.msc or service itself
> before executing with SYSTEM account ?
>
> Madhur
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate.  We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
> Sec-1 disclaimer******
>
> This e-mail and any attached files are confidential and may also be legally
> privileged. They are intended solely for the intended addressee. If you are
> not the addressee please e-mail it back to the sender and then immediately,
> permanently delete it. Do not read, print, re-transmit, store or act in
> reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with
> current regulations. This footnote also confirms that this e-mail message
> has been swept for the presence of computer viruses currently known to Sec-1
> Ltd. However, the recipient is responsible for virus-checking before opening
> this message and any attachment. Unless expressly stated to the contrary,
> any views expressed in this message are those of the individual sender and
> may not necessarily reflect the views of Sec-1 Ltd.****
>
> ** **
>
> Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered in
> England & Wales, Registered Office Address: Unit 4, Spring Valley Park,
> Butler Way, Stanningley, Leeds, LS28 6EA.****
>  ------------------------------
>
> Scanned by *MailMarshal* - M86 Security's comprehensive email content
> security solution. For details on purchasing MailMarshal or alternative Mail
> Security products please contact our Sales Team on 0113 257 8955 Option 1
>
> **
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ