Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MS Windows Screensaver Privilege Escalation
From: David Vincent <support () sleepdeprived ca>
Date: Fri, 26 Nov 2004 10:45:49 -0800

MW> To Whom it May Concern;
MW> The Original Post is http://www.securityfocus.com/bid/11711

MW> On Windows XP all releases, when you replace, or change the
MW> screensaver displayed on the login screen with a specially crafted
MW> version designed to execute programs, those programs are launched
MW> under the SYSTEM SID, IE: they are given automatically the highest
MW> access level avalible to Windows.  This level is not accessible even
MW> to administrators.

MW> This flaw is important because while one would need Power User
MW> privledges or above to change the Login Screensaver, by default, any
MW> user with the exception of guest can replace the login screensaver
MW> file with a modified version.  In theory, any determined user could
MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
MW> Win2K, but Microsoft has ignored it.

MW> Sincerly;
MW> Matt Walker

i've used the technique on this page to rescue a windows 2000 domain controller's admin account since the pnordhal diskette won't help:


similar instructions for windows 2003 are here:



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]