RE: "run as" local denial-of-service enables administrative account processes to be killed

["James C. Slora Jr." <james.slora () phra com>]

Eitan Caspi wrote Saturday, June 23, 2007 4:45 PM

> Summary: While a user, at any security membership level, is logged 
> in locally, using the "run as" feature, it can kill all of the 
> processes running under the user who initiated the "run as"
> feature, even if the
> initiating user has a security membership level higher than the 
> user initiating the killing action under "run as". The kill is 
> performed using the taskkill.exe application which is built into 
> Windows XP.

It's true Microsoft does not display a unified front on such security
issues, and they sometimes have conflicting advice on their site.

But Runas is more useful for escalating privilege than for downgrading
it.

Anything running on your interactive desktop can interact with anything
else running on it, regardless of the security context that started each
app. So privilege-lowering conveniences like Runas or even desktop VMs
are absolutely subject to the possibility of cross-context interaction.

There are security context checks built into many functions, and you did
find one that does not have things as locked down as they should be, but
these locks and checks are vector-specific and do not address the basic
exploit potential directly.

I don't see a lot of exploits of this potential, but it is designed into
Windows and needs to be there for you to be able to interact with the
apps yourself. So running an interactive sandbox on a trusted system
will inherently increase your risks.

See KB327618 for more info.

- Jim