Bugtraq mailing list archives
Re: Escalation of privileges
From: "Mayers, Philip J" <p.mayers () IC AC UK>
Date: Tue, 8 Aug 2000 12:49:27 +0100
Hmm... Interesting, but needs an idiot admin to exploit. This requires you have write access to the NAV installation. Only a very stupid admin would allow that to happen. The program scheduler has a good argument for needing system privs (like, updating system file, such as the NAV installation). I'd agree it probably needs better input checking though. For example - if you have write access to the /WINNT directory (a bit less likely, but still...), you can replace logon.scr with a program to elevate your privs, logout, and let the winlogon screen saver activate. Et voila... Solutions? 1) Don't let users have write access to /Program Files (or the NAV installation, wherever it is) 2) Install trusted binaries in a different location (/WINNT isn't an option, if you want certification from MS). This *is* a (small) problem though - why? Because "Power Users" (or whatever they're called in 2K now) could elevate themselves to Administrator (since they normally have access to install programs). <sigh> Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Chris Foster [mailto:frostman () CAROLINA RR COM] Sent: 07 August 2000 17:08 To: BUGTRAQ () SECURITYFOCUS COM Subject: Escalation of privileges While testing escalation of privileges from a normal user to admin I found that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed this is very simple. Here are the details on how this is done: 1. Logon as a normal user. Try to run windisk from the run prompt and you should get an access denied. 2. Browse to the root directory for the NAV installation and rename navlu32.exe to navlu32.old. Create navlu32.exe that executes the command: net localgroup administrators {name of account to escalate} /ADD 3. Open the Norton Program Scheduler by executing nschednt.exe in the installation directory. Since normal users are restricted as to what they can run. (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule a LiveUpdate for a couple of mins ahead. When your scheduled job runs it will execute your navlu32.exe. Log back on and you now have admin privs and can execute windisk or whatever you like for that matter. This works due to the Norton Program Scheduler running with system privs and a normal user being able to write to the Norton installation directory. Frostman
Current thread:
- Escalation of privileges Chris Foster (Aug 07)
- reporting local security problems for WinNT (Re: Escalation of privileges) Vladimir Dubrovin (Aug 08)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) David LeBlanc (Aug 09)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) William D. Colburn (aka Schlake) (Aug 10)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) Tom Perrine (Aug 11)
- Re: reporting local security problems for WinNT (Re: Escalation of privileges) David LeBlanc (Aug 09)
- reporting local security problems for WinNT (Re: Escalation of privileges) Vladimir Dubrovin (Aug 08)
- Re: Escalation of privileges Nicolas Rachinsky (Aug 09)
- <Possible follow-ups>
- Re: Escalation of privileges Mayers, Philip J (Aug 08)
- Re: Escalation of privileges Kenn Humborg (Aug 09)
- Re: Escalation of privileges Adam Richard (Aug 10)