RE: [in] [Full-Disclosure] MS Windows Screensaver Privilege Escalation

["Curt Purdy" <purdy@xxxxxxxxxx>]

Matthew Walker wrote:
> The Original Post is http://www.securityfocus.com/bid/11711
> 
> On Windows XP all releases, when you replace, or change the 
> screensaver displayed on the login screen with a specially 
> crafted version designed to execute programs, those programs 
> are launched under the SYSTEM SID, IE: they are given 
> automatically the highest access level available to Windows.  
> This level is not accessible even to administrators.

<snip>

Nice find Mathew.  But this is amazingly bad.  Though I only run windoze as
a VM under SuSE, this has made me decide to shut the VM down rather than let
it run with a locked screen saver.  

My choice now is to either run it with such a short lock period that I will
constantly have to take time to log back in, or just shut it down every time
I leave my desk and restart the VM when I need it (less and less these
days).  I have chosen the later as the least time consuming. 

Amazing that M$ has decided to disregard the hole... no, more like a valley.
I can just imagine all the company crackers walking around with a trojaned
logon.scr on their USB stick looking for unattended boxes.

Curt Purdy CISSP, GSEC, CNE, MCSE+I, CCDA
Information Security Engineer 
DP Solutions

-----------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html