Re: [Full-Disclosure] MS Windows Screensaver Privilege Escalation

[David Vincent <support@xxxxxxxxxxxxxxxx>]

> > > MW> To Whom it May Concern;
> > > MW> The Original Post is http://www.securityfocus.com/bid/11711
> > >
> > > MW> On Windows XP all releases, when you replace, or change the
> > > MW> screensaver displayed on the login screen with a specially crafted
> > > MW> version designed to execute programs, those programs are launched
> > > MW> under the SYSTEM SID, IE: they are given automatically the highest
> > > MW> access level avalible to Windows.  This level is not accessible even
> > > MW> to administrators.
> > >
> > > MW> This flaw is important because while one would need Power User
> > > MW> privledges or above to change the Login Screensaver, by default, any
> > > MW> user with the exception of guest can replace the login screensaver
> > > MW> file with a modified version.  In theory, any determined user could
> > > MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
> > > MW> Win2K, but Microsoft has ignored it.
> > >
> > > MW> Sincerly;
> > > MW> Matt Walker

i've used the technique on this page to rescue a windows 2000 domain 
controller's admin account since the pnordhal diskette won't help:

http://www.jms1.net/nt-unlock.html

similar instructions for windows 2003 are here:

http://www.nobodix.org/seb/win2003_adminpass.html

-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html