Re: Windows XP 'logon screen' runs as system account

["Ryan Permeh" <ryan () eEye com>]

get a copy of process exploder from the nt4 resource kit.  note this is
process exploder, not process explorer.  Now, process exploder has the
ability to tell what priv levels individual threads are at, and if i
remember correctly, the quotas associated with each thread context.

LOCAL_SYSTEM is higher than adminsitrator, and typically offers many more SE
privs than an administrator would need.  your code may need to issue a
reverttoself if your thread is actually not executing with system priv
levels.  I haven't actually played with this right now, so i can't give any
details.  however, since it requires administrative privs to begin with, the
only real attack i can see on this would be convicing a stupid admin to
download a trojan theme.  The same problem could be done by sending a .scr
screensaver, or any type of trojan, since it is likely that any
admininstrator who changes a server logon screen with an untrused, outside
binary is likely to be attacked by something like this just as easy.

This would kind of fall under what we call a subversion of function attack,
where a plugable system can potentially execute arbitrary code.  Many plugin
systems are vulnerable to these types of attacks, however, by limiting
exposure to the administrative group, the exploitation of this vulnerability
falls more under a type of social attack against the user rather than a
technical attack against the machine itself.  However, if one of these third
party logon switch screens is improperly coded, there may be an additional
technical attack against it beyond the scope of what you are suggesting.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "Menso Heus" <menso () r4k net>
To: <vuln-dev () securityfocus com>
Sent: Friday, December 21, 2001 6:06 PM
Subject: Windows XP 'logon screen' runs as system account


> Hi,
>
> Recently I discovered that the process that shows the windows xp logon
> screen (logonui.exe in your \winnt\system32\ folder) runs as the
> 'system' user. This process gets started whenever the user logon
> screen gets shown, this is either after booting up Windows XP or
> when switching users.
>
> In my experience so far the system account in Windows NT/2000 has
> (almost?) the same rights as the Administrator account.
> I decided it might be nice to kick it a bit in order to see if I
> could make it do things it isn't supposed to do.
>
> I replaced the logonui.exe file with the task manager (which showed
> the user 'system' owns the process).
>
> > From the taskmgr.exe process I tried spawning a new process, cmd.exe.
> I received the error "Not enough quota available to process this command.'
>
> I received the same error when I replaced the logonui.exe file directly
> with cmd.exe. The command prompt would actually show, but any commands
> not built into cmd.exe itself would not run.
>
> After this I replaced the file with NT4's usrmgr.exe to see if I had
> rights enough to adjust user settings. It turns out that this is also
> restricted.
>
> I also wrote some programs myself to try to push a user from the normal
> user group into the admin group through the ADSI interface, but this
> didn't work out either.
>
> Please note that the logonui.exe file can only be replaced by a user
> that already has administrative rights.
>
> The thing is that a lot of Windows XP users are actually replacing this
> file with copies they download of the net. From sites such as
> www.themexp.org it is possible to download 'customized logon screens'
> which show your favorite actor or sports car or whatever.
>
> I would like to warn for the fact that, since Microsoft chose to use a
> binary format for a file that only contains some info on where to place
> what pictures during logon and the pictures themselves, it is trivial to
> write a trojan that fakes a logon screen and e-mails the entered
> usernames & passwords. I have already written & tested one succesfully
> on my home network.
>
> It is unclear to me why Microsoft chose to use a binary format for a
> file that, as far as I can see, contains nothing more than layout info.
> History has already proved that users will gladly trade in security if it
> means they can see some chick or something funny during the logon process.
>
> Still, a trojan ofcourse isn't a security bug. Since I do not know how
> they restricted the system account I would like to ask you for advice
> on this. I have a feeling that it hasn't been done nicely, though I
> can't really tell why, probably because I don't understand *how* it
> has been done :)
>
> Any help with this would be greatly appreciated,
>
> Menso
>
> --
> ---------------------------------------------------------------------
> Anyway, the :// part is an 'emoticon' representing a man with a strip
> of sticky tape across his mouth.   -R. Douglas, alt.sysadmin.recovery
> ---------------------------------------------------------------------