Re: Escalation of privileges

["Mayers, Philip J" <p.mayers () IC AC UK>]

Hmm... Interesting, but needs an idiot admin to exploit.

This requires you have write access to the NAV installation. Only a very
stupid admin would allow that to happen. The program scheduler has a good
argument for needing system privs (like, updating system file, such as the
NAV installation). I'd agree it probably needs better input checking though.

For example - if you have write access to the /WINNT directory (a bit less
likely, but still...), you can replace logon.scr with a program to elevate
your privs, logout, and let the winlogon screen saver activate. Et voila...

Solutions?

1) Don't let users have write access to /Program Files (or the NAV
installation, wherever it is)
2) Install trusted binaries in a different location (/WINNT isn't an option,
if you want certification from MS).

This *is* a (small) problem though - why? Because "Power Users" (or whatever
they're called in 2K now) could elevate themselves to Administrator (since
they normally have access to install programs).

<sigh>

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

-----Original Message-----
From: Chris Foster [mailto:frostman () CAROLINA RR COM]
Sent: 07 August 2000 17:08
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Escalation of privileges


While testing escalation of privileges from a normal user to admin I found
that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed
this is very simple. Here are the details on how this is done:

1. Logon as a normal user. Try to run windisk from the run prompt and you
should get an access denied.

2. Browse to the root directory for the NAV installation and rename
navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:

net localgroup administrators {name of account to escalate} /ADD

3. Open the Norton Program Scheduler by executing nschednt.exe in the
installation directory. Since normal users are restricted as to what they
can run.   (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule
a LiveUpdate for a couple of mins ahead. When your scheduled job runs it
will execute your navlu32.exe. Log back on and you now have admin privs and
can execute windisk or whatever you like for that matter.

This works due to the Norton Program Scheduler running with system privs and
a normal user being able to write to the Norton installation directory.

Frostman