Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question for the Windows pros
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 18 Jan 2006 14:01:18 -0600

On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote:
I understand *that*.  My question is, what are you granting them "su" 
*for*?  The entire kettle of fish?  Or specific tasks.  The privilege only 
allows you to impersonate a *client* (as in server-client), so (I would 
think) you can't do file browsing or http parsing (or can you?)

Right. Unless the user can find a way of running as a "logged on user"
or such. A user might be able to run an exploit script that takes
advantage of the ImpersonateClient and launches a cmd.exe locally. Think
of Attempted Privilege Execution rather than Attempted Privilege
Escalation since you already have the privilege escalated through this
right.... just need to find a way to put it to use. Remembering stunts
like using the scheduler to run cmd.exe interactively or as a
screensaver, getting to the point of doing something useful with that
right shouldn't be too hard.

What are you granting them su for? Perhaps for a mail migration utility
that runs as administrator, but assumes the security context of a user
to read email from his mailbox (yeah, admin can do that, this is just an
example). Or for running a script remotely against a user workstation
that sets certain things in the Registry in the user context (to gain
access to the Secure Storage or such).

Unfortunately, in the context of my problem, the users must have this 

What circumstance requires you to turn that right on, if you don't mind
me asking?


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]