Full Disclosure: Re[2]: MS Windows Screensaver Privilege Escalation

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Matt Andreko,

If  you  have  permissions  to overwrite system files (Power Users group
have  this permission) and you can overwrite system file (screensaver is
system  file)  there  is no vulnerability. You should think twice before
adding  user  to  Power  Users,  because  Power  User  has  nearly  same
privileges  and  permissions  as  local  Administrators. Users are never
added  to  this  group  automatically,  except  if updated from previous
Windows  version. All users are automatically removed from this group if
you  apply  "secure  workstation"  security  policy,  you  can  also use
"limited  groups"  AD  policy  to  limit  membership  for this and local
Administrators groups.


--Friday, November 26, 2004, 9:12:50 PM, you wrote to 3APA3A () SECURITY NNOV RU:

MA> I agree that you should restrict the access physically, however if you
MA> can replace that screensaver file, and WindowsXP will execute it as the
MA> system user, is this not a flaw as the original poster intended?

MA> You had stated that replacing the screensaver took special privileges,
MA> however I was showing a way to get around those means.  Sure, if I had
MA> physical access to the machine I could do a lot worse, but personally I
MA> feel it's a blended problem.  It does need to be restricted physically,
MA> however I don't think Microsoft should be running screensavers which can
MA> easily be replaced as System.

MA> 3APA3A wrote:

> > Dear Matt Andreko,
> >
> > Ability  to boot machine from bootable to CD is not a problem of Windows
> > security,  it's  more  problem  of  physical  security.  To prevent your
> > machine  from  booting  from  bootable CD reliably you can use certified
> > BIOS  versions  (HP  and  IBM  have few), special marks and devices like
> > Dallas Lock, Secret Net, etc.
> >
> > --Friday, November 26, 2004, 6:42:34 PM, you wrote to 3APA3A () SECURITY NNOV RU:
> >
> > MA> Perhaps this is just an amateurish question, but what if I booted off of
> > MA> a knoppix cd and replaced the current screensaver with my "specially
> > MA> crafted" screensaver?  Or using the bootdisk at 
> > MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?
> >
> > MA> I know you may think that this is useless, since if you boot off the cd
> > MA> or disk, you already have better access to the machine, however doing
> > MA> this method gets you admin access WITHOUT changing the password, correct?
> >
> > MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still
> > MA> show that the vulnerability in the screensaver code is valid, and needs
> > MA> to be updated?  It could allow someone to get local admin access to the
> > MA> machine without changing the password.
> >
> >
> >
> > MA> 3APA3A wrote:
> >
> >
> > > > Dear Matthew Walker,
> > > >
> > > > Permissions  for  HKEY_USERS\Control Panel\Desktop allow modification to
> > > > only members of Administrators and System.
> > > >
> > > > Power  Users  can  install  software,  so  they  can replace any file in
> > > > SYSTEM32  directory,  including  screensaver.  It  allows  to trojan any
> > > > system  file  (for example, one can replace winspool.exe with cmd.exe to
> > > > obtain  SYSTEM  permissions).  It's  by design and it's documented. Just
> > > > never  assign users in Power Users group, as Microsoft recommends you. I
> > > > see no security vulnerability here.
> > > >
> > > > --Wednesday, November 24, 2004, 8:36:14 PM, you wrote to
> > > > full-disclosure () lists netsys com:
> > > >
> > > > MW> To Whom it May Concern;
> > > > MW> The Original Post is http://www.securityfocus.com/bid/11711
> > > >
> > > > MW> On Windows XP all releases, when you replace, or change the
> > > > MW> screensaver displayed on the login screen with a specially crafted
> > > > MW> version designed to execute programs, those programs are launched
> > > > MW> under the SYSTEM SID, IE: they are given automatically the highest
> > > > MW> access level avalible to Windows.  This level is not accessible even
> > > > MW> to administrators.
> > > >
> > > > MW> This flaw is important because while one would need Power User
> > > > MW> privledges or above to change the Login Screensaver, by default, any
> > > > MW> user with the exception of guest can replace the login screensaver
> > > > MW> file with a modified version.  In theory, any determined user could
> > > > MW> execute ANYTHING with SYSTEM privledges.  A similar flaw exists in
> > > > MW> Win2K, but Microsoft has ignored it.
> > > >
> > > > MW> Sincerly;
> > > > MW> Matt Walker
> > > >
> > > > MW> _______________________________________________
> > > > MW> Full-Disclosure - We believe in it.
> > > > MW> Charter: http://lists.netsys.com/full-disclosure-charter.html
MA> _______________________________________________
MA> Full-Disclosure - We believe in it.
MA> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
Сэр Исаак Ньютон открыл, что яблоки падают на землю. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html