[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability

To: monikerd <monikerd@xxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability
From: "David Maciejak" <david.maciejak@xxxxxxxxx>
Date: Sun, 19 Aug 2007 22:45:21 +0200

> David Maciejak wrote:
> > Hi,
> >
> > Playing around with privilege escalation I found that WLM 8.0, 8.1 and
> > probably newer (since live call feature in fact) are vulnerable to a local
> > privilege escalation issue. It's not a critical flaw.
> > The problem occurs when livecall.exe process is launch.
> > The first time, the user need to click on phone icon after that each time
> > it connect back on WLM the livecall.exe process is autolaunch.
> > Quotes must be missing when this process is launch through svchost.exe
> > because it tries first to launch Program.exe file at root default windows 
> > drive.
> > Then, to exploit this issue the malicious user need to have enough write
> > permission on default root path and wait for a more privilege user to
> > connect to the local WLM.
> >
> >
> Wow, you might need to take the time to put that sequence of words into
> sentences. Using punctuation, capital letters, and structure:-)

Sorry I write it too quickly :)

> Basically what I analyze, is that if you have the rights to replace a file
> with an *evil* exe it would get executed by somebody else.
>
> The real issue is, if there is in fact a privilege mismatch?

As you said any program can be execute just by writing it as Program.exe.

david maciejak

>
> > I have contacted Microsoft Security Team about that on July 11 2007,
> > for them "this does not appear to be a security vulnerability". I
> > don't think a patch will be addressed soon.
> >
> > cheers,
> > David Maciejak
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability
  - From: David Maciejak
- Re: [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability
  - From: monikerd

Prev by Date: Re: [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability
Next by Date: [Full-disclosure] [SECURITY] [DSA 1357-1] New koffice packages fix arbitrary code execution
Previous by thread: Re: [Full-disclosure] Microsoft Windows Live Messenger Live Call Local Privilege Escalation Vulnerability
Next by thread: [Full-disclosure] [SECURITY] [DSA 1357-1] New koffice packages fix arbitrary code execution
Index(es):
- Date
- Thread