[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Question for the Windows pros

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Re: Question for the Windows pros
From: "Dave Korn" <davek_throwaway@xxxxxxxxxxx>
Date: Thu, 19 Jan 2006 15:01:49 -0000

Paul Schmehl wrote in news:88FAB09D4B4C0A80874E16A4@xxxxxxxxxxxxxxxxxxxxx

> This is how I understand the process:
>
> 1) Joe, who is a User, launches the custom installer (through a login
> script)
> 2) The install process begins running under Joe's credentials (User)
> 3) At some point in the install process, elevated privileges are required
> to continue
> 4) Joe doesn't have them, but he has the Impersonate privilege.
> 5) Joe's process requests the credentials embedded in the custom installer

  No.  They aren't embedded in the installer.  They are the credentials 
belonging to another process, to which the impersonator is connected, via a 
pipe or LPC port, that the impersonator holds the server end of.

> 6) Joe's process uses those credentials to complete the install, then
> relinquishes them
>
> This means that the exposure, when granting the privilege, is as follows:
> 1) If you can launch a process on the local machine AND
> 2) The process has embedded credentials that are different from the user
> launching the process THEN
> 3) The user gains those credentials' privileges ***for the length of that
> process***

  It is indeed the case that a process that is impersonating cannot pass on 
the impersonated credentials to a child process.  However, credentials are 
not "embedded" in processes, or in executables; ultimately, they come from 
the SAM or AD.

>> From a hacker standpoint, this means that you would already need elevated
> privileges in order to take advantage of the user's right to impersonate.
> This is a fairly low risk.
>
> So, why did M$ decide to remove this right from the user?  Because it
> prevents them from installing software on the box.

  It could in theory be abused to escalate privileges.

> OK, shoot holes in my theory.

  As I said in another post in this thread, I'm writing a fuller explanation 
that I'll post later when I get time to finish it up.

  cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Re: Question for the Windows pros
  - From: Paul Schmehl
- Re: [Full-disclosure] Re: Question for the Windows pros
  - From: Nicolas RUFF

References:
- [Full-disclosure] Question for the Windows pros
  - From: Paul Schmehl
- Re: [Full-disclosure] Question for the Windows pros
  - From: Stuart Dunkeld
- Re: [Full-disclosure] Question for the Windows pros
  - From: Paul Schmehl
- Re: [Full-disclosure] Question for the Windows pros
  - From: Frank Knobbe
- Re: [Full-disclosure] Question for the Windows pros
  - From: Paul Schmehl
- Re: [Full-disclosure] Question for the Windows pros
  - From: Frank Knobbe
- Re: [Full-disclosure] Question for the Windows pros
  - From: Paul Schmehl

Prev by Date: Re: [Full-disclosure] PC Firewall Choices
Next by Date: Re: [Full-disclosure] Re: PC Firewall Choices
Previous by thread: [Full-disclosure] Re: Question for the Windows pros
Next by thread: Re: [Full-disclosure] Re: Question for the Windows pros
Index(es):
- Date
- Thread