On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote: > I understand *that*. My question is, what are you granting them "su" > *for*? The entire kettle of fish? Or specific tasks. The privilege only > allows you to impersonate a *client* (as in server-client), so (I would > think) you can't do file browsing or http parsing (or can you?) Right. Unless the user can find a way of running as a "logged on user" or such. A user might be able to run an exploit script that takes advantage of the ImpersonateClient and launches a cmd.exe locally. Think of Attempted Privilege Execution rather than Attempted Privilege Escalation since you already have the privilege escalated through this right.... just need to find a way to put it to use. Remembering stunts like using the scheduler to run cmd.exe interactively or as a screensaver, getting to the point of doing something useful with that right shouldn't be too hard. What are you granting them su for? Perhaps for a mail migration utility that runs as administrator, but assumes the security context of a user to read email from his mailbox (yeah, admin can do that, this is just an example). Or for running a script remotely against a user workstation that sets certain things in the Registry in the user context (to gain access to the Secure Storage or such). > Unfortunately, in the context of my problem, the users must have this > right. What circumstance requires you to turn that right on, if you don't mind me asking? Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/