mailing list archives
RE: [in] MS Windows Screensaver Privilege Escalation
From: "Curt Purdy" <purdy () tecman com>
Date: Wed, 24 Nov 2004 20:42:14 -0600
Matthew Walker wrote:
The Original Post is http://www.securityfocus.com/bid/11711
On Windows XP all releases, when you replace, or change the
screensaver displayed on the login screen with a specially
crafted version designed to execute programs, those programs
are launched under the SYSTEM SID, IE: they are given
automatically the highest access level available to Windows.
This level is not accessible even to administrators.
Nice find Mathew. But this is amazingly bad. Though I only run windoze as
a VM under SuSE, this has made me decide to shut the VM down rather than let
it run with a locked screen saver.
My choice now is to either run it with such a short lock period that I will
constantly have to take time to log back in, or just shut it down every time
I leave my desk and restart the VM when I need it (less and less these
days). I have chosen the later as the least time consuming.
Amazing that M$ has decided to disregard the hole... no, more like a valley.
I can just imagine all the company crackers walking around with a trojaned
logon.scr on their USB stick looking for unattended boxes.
Curt Purdy CISSP, GSEC, CNE, MCSE+I, CCDA
Information Security Engineer
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke
Full-Disclosure - We believe in it.