Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: MS Windows Screensaver Privilege Escalation
From: "Stuart Fox \(DSL AK\)" <StuartF () datacom co nz>
Date: Thu, 25 Nov 2004 17:13:28 +1300



On Windows XP all releases, when you replace, or change the 
screensaver displayed on the login screen with a specially 
crafted version designed to execute programs, those programs 
are launched under the SYSTEM SID, IE: they are given 
automatically the highest access level avalible to Windows.  
This level is not accessible even to administrators.

This flaw is important because while one would need Power 
User privledges or above to change the Login Screensaver, by 
default, any user with the exception of guest can replace the 
login screensaver file with a modified version.  In theory, 
any determined user could execute ANYTHING with SYSTEM 
privledges.  A similar flaw exists in Win2K, but Microsoft 
has ignored it.


Interesting when read in the context of this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;221991&sd=tech 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]