Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: [in] MS Windows Screensaver Privilege Escalation
From: "Curt Purdy" <purdy () tecman com>
Date: Wed, 24 Nov 2004 20:42:14 -0600

Matthew Walker wrote:
The Original Post is http://www.securityfocus.com/bid/11711

On Windows XP all releases, when you replace, or change the 
screensaver displayed on the login screen with a specially 
crafted version designed to execute programs, those programs 
are launched under the SYSTEM SID, IE: they are given 
automatically the highest access level available to Windows.  
This level is not accessible even to administrators.


Nice find Mathew.  But this is amazingly bad.  Though I only run windoze as
a VM under SuSE, this has made me decide to shut the VM down rather than let
it run with a locked screen saver.  

My choice now is to either run it with such a short lock period that I will
constantly have to take time to log back in, or just shut it down every time
I leave my desk and restart the VM when I need it (less and less these
days).  I have chosen the later as the least time consuming. 

Amazing that M$ has decided to disregard the hole... no, more like a valley.
I can just imagine all the company crackers walking around with a trojaned
logon.scr on their USB stick looking for unattended boxes.

Information Security Engineer 
DP Solutions


If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]