mailing list archives
Re: Question for the Windows pros
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 18 Jan 2006 14:01:18 -0600
On Wed, 2006-01-18 at 12:07 -0600, Paul Schmehl wrote:
I understand *that*. My question is, what are you granting them "su"
*for*? The entire kettle of fish? Or specific tasks. The privilege only
allows you to impersonate a *client* (as in server-client), so (I would
think) you can't do file browsing or http parsing (or can you?)
Right. Unless the user can find a way of running as a "logged on user"
or such. A user might be able to run an exploit script that takes
advantage of the ImpersonateClient and launches a cmd.exe locally. Think
of Attempted Privilege Execution rather than Attempted Privilege
Escalation since you already have the privilege escalated through this
right.... just need to find a way to put it to use. Remembering stunts
like using the scheduler to run cmd.exe interactively or as a
screensaver, getting to the point of doing something useful with that
right shouldn't be too hard.
What are you granting them su for? Perhaps for a mail migration utility
that runs as administrator, but assumes the security context of a user
to read email from his mailbox (yeah, admin can do that, this is just an
example). Or for running a script remotely against a user workstation
that sets certain things in the Registry in the user context (to gain
access to the Secure Storage or such).
Unfortunately, in the context of my problem, the users must have this
What circumstance requires you to turn that right on, if you don't mind
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
Description: This is a digitally signed message part
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/