reporting local security problems for WinNT (Re: Escalation of privileges)

[Vladimir Dubrovin <vlad () sandy ru>]

Hello Chris Foster,

07.08.00 20:07, you wrote: Escalation of privileges;

C> 2. Browse to the root directory for the NAV installation and rename
C> navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:

Another example: AVP users can easily obtain Control Center privileges
(Local  System  by  default  -  this  are  admin  privs)  by trojaning
"C:\Program  Files\AntiViral  Toolkit  Pro\avpcc.exe"  -  this program
starts  as a service. It's also possible to operate in kernel mode via
C:\Program Files\AntiViral Toolkit Pro\FSAVP.SYS

According  to MS recommendations only Administrators group should have
Write  permission  for  Program Files and WINNT directories. Otherwise
user can easily trojan any executable, including system services. This
problem  is  not  NAV  specific,  and  this  is  a  problem  of  poor
configuration, not a bug.

I  think  all  troubles with WinNT local security must be reported for
configuration, described in
http://www.microsoft.com/technet/security/c2config.asp
because  in  default  configuration  there  are a lot of ways to break
local security for Windows NT via file and registry permissions.

   Vladimir Dubrovin                  Sandy, ISP
    Sandy CCd chief               Customers Care dept
  http://www.sandy.ru           Nizhny Novgorod, Russia

http://www.security.nnov.ru