Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: EEYE: Windows VDM #UD Local Privilege Escalation
From: kf_lists <kf_lists () secnetops com>
Date: Wed, 13 Oct 2004 22:13:09 -0500

Who says that the attacker has to try to get local access? I am sure you have several potential attackers sitting around you right now (if you are reading this in an office building)? How is ISS going to stop someone from sitting down and logging into a machine they are supposed to have local user level access to (and why would they for that matter)? Just because they are protecting me remotely does not mean they should neglect me locally. I will use a general office setting as an example: I have multiple individuals that need local access to their PC's, they do not however need access at an administrative level. Users are not allowed to install software or modify any system settings. I have this wonderful firewall application protecting the machines from remote exploitation and spyware. The local office geek has figured out he can right click on the tray icon and bypass all local restrictions on the machine. Whats wrong with this picture?

*flame on*


David Maynor wrote:

Its not that ISS doesn't feel like its a problem, its just when you
let an attacker get to the point where they could run a local attack
its game over. ISS's goal is to stop the attacker from getting close
enogh to execute a local attack.

On Wed, 13 Oct 2004 10:30:27 -0400, KF_lists <kf_lists () secnetops com> wrote:
ISS would like to have you believe otherwise...  when I contacted them
about the Local SYSTEM escalation in BlackICE we went in circles over
the fact that I feel that taking local SYSTEM on a win32 box IS a
problem and they don't. They tryed to say some crap like "in all our
years in the industry we have never had a customer state that local
windows security was a concern... blah blah (paraphrasing)". And
something along the lines of "Windows is not a true multi-user system
(like unix) so local escalation means nothing."


> Also, at least in MS Windows, it's my personal feeling that local
privilege escalation issues (particularly escalation to kernel or system
status) should be critical issues.  Whether people can run arbitrary
code on MS Windows systems these days isn't an exercise for the mind
anymore, it's an exercise of "go look at your neighbors computer and see
that it's done regularly".

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]