Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question for the Windows pros
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 19 Jan 2006 15:01:49 -0000

Paul Schmehl wrote in news:88FAB09D4B4C0A80874E16A4 () utd59514 utdallas edu

This is how I understand the process:

1) Joe, who is a User, launches the custom installer (through a login
2) The install process begins running under Joe's credentials (User)
3) At some point in the install process, elevated privileges are required
to continue
4) Joe doesn't have them, but he has the Impersonate privilege.
5) Joe's process requests the credentials embedded in the custom installer

  No.  They aren't embedded in the installer.  They are the credentials 
belonging to another process, to which the impersonator is connected, via a 
pipe or LPC port, that the impersonator holds the server end of.

6) Joe's process uses those credentials to complete the install, then
relinquishes them

This means that the exposure, when granting the privilege, is as follows:
1) If you can launch a process on the local machine AND
2) The process has embedded credentials that are different from the user
launching the process THEN
3) The user gains those credentials' privileges ***for the length of that

  It is indeed the case that a process that is impersonating cannot pass on 
the impersonated credentials to a child process.  However, credentials are 
not "embedded" in processes, or in executables; ultimately, they come from 
the SAM or AD.

From a hacker standpoint, this means that you would already need elevated
privileges in order to take advantage of the user's right to impersonate.
This is a fairly low risk.

So, why did M$ decide to remove this right from the user?  Because it
prevents them from installing software on the box.

  It could in theory be abused to escalate privileges.

OK, shoot holes in my theory.

  As I said in another post in this thread, I'm writing a fuller explanation 
that I'll post later when I get time to finish it up.

Can't think of a witty .sigline today.... 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]