Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MS Windows Screensaver Privilege Escalation
From: Matt Andreko <mandreko () ori net>
Date: Fri, 26 Nov 2004 13:12:50 -0500

I agree that you should restrict the access physically, however if you can replace that screensaver file, and WindowsXP will execute it as the system user, is this not a flaw as the original poster intended?

You had stated that replacing the screensaver took special privileges, however I was showing a way to get around those means. Sure, if I had physical access to the machine I could do a lot worse, but personally I feel it's a blended problem. It does need to be restricted physically, however I don't think Microsoft should be running screensavers which can easily be replaced as System.

3APA3A wrote:

Dear Matt Andreko,

Ability  to boot machine from bootable to CD is not a problem of Windows
security,  it's  more  problem  of  physical  security.  To prevent your
machine  from  booting  from  bootable CD reliably you can use certified
BIOS  versions  (HP  and  IBM  have few), special marks and devices like
Dallas Lock, Secret Net, etc.

--Friday, November 26, 2004, 6:42:34 PM, you wrote to 3APA3A () SECURITY NNOV RU:

MA> Perhaps this is just an amateurish question, but what if I booted off of
MA> a knoppix cd and replaced the current screensaver with my "specially
MA> crafted" screensaver? Or using the bootdisk at MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?

MA> I know you may think that this is useless, since if you boot off the cd
MA> or disk, you already have better access to the machine, however doing
MA> this method gets you admin access WITHOUT changing the password, correct?

MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still
MA> show that the vulnerability in the screensaver code is valid, and needs
MA> to be updated?  It could allow someone to get local admin access to the
MA> machine without changing the password.

MA> 3APA3A wrote:

Dear Matthew Walker,

Permissions  for  HKEY_USERS\Control Panel\Desktop allow modification to
only members of Administrators and System.

Power  Users  can  install  software,  so  they  can replace any file in
SYSTEM32  directory,  including  screensaver.  It  allows  to trojan any
system  file  (for example, one can replace winspool.exe with cmd.exe to
obtain  SYSTEM  permissions).  It's  by design and it's documented. Just
never  assign users in Power Users group, as Microsoft recommends you. I
see no security vulnerability here.

--Wednesday, November 24, 2004, 8:36:14 PM, you wrote to
full-disclosure () lists netsys com:

MW> To Whom it May Concern;
MW> The Original Post is http://www.securityfocus.com/bid/11711

MW> On Windows XP all releases, when you replace, or change the
MW> screensaver displayed on the login screen with a specially crafted
MW> version designed to execute programs, those programs are launched
MW> under the SYSTEM SID, IE: they are given automatically the highest
MW> access level avalible to Windows.  This level is not accessible even
MW> to administrators.

MW> This flaw is important because while one would need Power User
MW> privledges or above to change the Login Screensaver, by default, any
MW> user with the exception of guest can replace the login screensaver
MW> file with a modified version.  In theory, any determined user could
MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
MW> Win2K, but Microsoft has ignored it.

MW> Sincerly;
MW> Matt Walker

MW> _______________________________________________
MW> Full-Disclosure - We believe in it.
MW> Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]