Bugtraq mailing list archives
Re: Windows 2000 Run As... Feature
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 25 Jan 2000 09:00:57 -0800
At 08:45 AM 1/24/00 -0500, Jesper M. Johansson wrote:
In all the hubbub over whether the semantic of the Run As... feature in Windows 2000, a much more important shortcoming is that this is the first time (I know of) that the system asks for your password through a mechanism other than the trusted path (ctrl-alt-del to login, ctrl-alt-del to change password). This is an unfortunate compromise in an otherwise useful feature.
How much of a compromise is it really? I just looked at the executable and it seems to be reasonably tightened down with only RX for Users, PowerUsers and Everyone. Unless there is some backdoor to replace the directory entry that's about the best we can do.
There's a couple of additions - first of all, there's no way to script the password - it is going to prompt you for it, so that's a little bit of an improvement. As has been discussed here before, there are a number of places that a Windows system will look for a binary, so to be really sure that you're getting the one in system32, use the Run button from the start menu - it only looks in %systemroot% for things. I've often been frustrated trying to figure out _which_ binary I'm running, so I wrote this. BTW, the documentation on the SearchPath() API tells you just where the OS looks, and in what order. A couple of lines are wrapped. ===================== which.c ============================== #include <windows.h> #include <stdio.h> int main(int argc, char* argv[]) { char buffer[1024]; DWORD buflen = 1024; char* filepart; DWORD ret; char* extension; if(argc < 2) { printf("Usage is %s [filename]\n", argv[0]); printf("Simple wrapper around the SearchPath function\n"); printf("Comments to: dleblanc () mindspring com\n"); return -1; } //if they don't supply the .exe, give them one extension = strrchr(argv[1], '.'); //note - if you really wanted, you could try other extensions //but most of what NT runs on is .exe, so.. if(extension == NULL) ret = SearchPath(NULL, argv[1], ".exe", 1024, buffer, &filepart); else ret = SearchPath(NULL, argv[1], NULL, 1024, buffer, &filepart); if(ret == 0) { printf("Cannot find %s\n", argv[1]); } else if(ret < 1024) { printf("%s\n", buffer); } else { //if you want to be fancy, put it in a loop, malloc the //buffer, and all that. Most of the time, this works. //if it doesn't work for you, either use a bigger buffer //or get fancy printf("Path longer than 1024 characters\n"); printf("If you really need to display paths > 1024\n"); printf("Go write your own, or complain to dleblanc () mindspring com\n"); } return 0; } David LeBlanc dleblanc () mindspring com
Current thread:
- Windows 2000 Run As... Feature David Terrell (Jan 21)
- Re: Windows 2000 Run As... Feature Seth R Arnold (Jan 23)
- Re: Windows 2000 Run As... Feature Steven Kastl (Jan 23)
- Re: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 24)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: Windows 2000 Run As... Feature Ben Russell (Jan 25)
- Re: Windows 2000 Run As... Feature Steve Wolfe (Jan 26)
- Re: Windows 2000 Run As... Feature Kenn Humborg (Jan 27)
- SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature jdglaser (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Jesper M. Johansson (Jan 26)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature Peter Berendi (Jan 27)
- Re: Windows 2000 Run As... Feature David LeBlanc (Jan 25)
- Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature David LeBlanc (Jan 26)
- <Possible follow-ups>
- Re: Windows 2000 Run As... Feature jdglaser (Jan 24)
- Re: Windows 2000 Run As... Feature Camillo Särs (Jan 24)
- multicasts from hell Tim Yardley (Jan 25)