Home page logo

fulldisclosure logo Full Disclosure mailing list archives

MS Windows Screensaver Privilege Escalation
From: Matthew Walker <mattofak () gmail com>
Date: Wed, 24 Nov 2004 20:36:14 +0300

To Whom it May Concern;
The Original Post is http://www.securityfocus.com/bid/11711

On Windows XP all releases, when you replace, or change the
screensaver displayed on the login screen with a specially crafted
version designed to execute programs, those programs are launched
under the SYSTEM SID, IE: they are given automatically the highest
access level avalible to Windows.  This level is not accessible even
to administrators.

This flaw is important because while one would need Power User
privledges or above to change the Login Screensaver, by default, any
user with the exception of guest can replace the login screensaver
file with a modified version.  In theory, any determined user could
execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
Win2K, but Microsoft has ignored it.

Matt Walker

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]