Bugtraq mailing list archives
Re: Windows 2000 Run As... Feature
From: jjohanss () BU EDU (Jesper M. Johansson)
Date: Mon, 24 Jan 2000 08:45:53 -0500
In all the hubbub over whether the semantic of the Run As... feature in Windows 2000, a much more important shortcoming is that this is the first time (I know of) that the system asks for your password through a mechanism other than the trusted path (ctrl-alt-del to login, ctrl-alt-del to change password). This is an unfortunate compromise in an otherwise useful feature.
How much of a compromise is it really? I just looked at the executable and it seems to be reasonably tightened down with only RX for Users, PowerUsers and Everyone. Unless there is some backdoor to replace the directory entry that's about the best we can do. Note that the SU command in the 4.0 Resource Kit also has this problem. Except that there the default ACL is considerably less restrictive. On my machine, Everyone has Modify rights to that command, as well as to the SUSS SU service. I assume that there are no special rights set on these files and that they simply take the permissions from the parent directory upon installation. Something to think about... Note that the ACL does of course not guard against presenting a user with the command line dialog without having to type in the RunAs command. However, common sense is used to guard against that. Also, the trusted path did not preclude the use of that attack either. I have actually seen one where users were presented with a login screen without the three-finger salute, and simply entered their passwords. Jesper M. Johansson
Current thread:
- Windows 2000 Run As... Feature David Terrell (Jan 21)
- Re: Windows 2000 Run As... Feature Seth R Arnold (Jan 23)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- <Possible follow-ups>
- Re: Windows 2000 Run As... Feature jdglaser (Jan 24)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)