You could always try the security templates made by the NSA for Win2k, as I believe they apply ACLs to these system files specifically to stop a lot of these attacks. Find them here ...http://www.nsa.gov/snac/win2k/download.htm. We make and use our own where I work to stop a lot of these shenanigans.

I haven't used them but, hey, it's the NSA so it HAS to be secure, right? (to anyone who is tapping this wire, it is just a joke!)

Nick Nero
CISSP, MCSE, MCSA, CCNA, CCA
The Disney Company

-----Original Message-----
From: Knud Erik Højgaard [mailto:knudskodliv.dk]
Sent: Monday, October 28, 2002 12:37 PM
To: focus-mssecurityfocus.com
Subject: Re: Priviledge escalation attack

> From: "Eric Howard" dlydl7502sneakemail.com
[snip]
> Scenario:
>
> I (who am logged in as Administrator) am having a network connectivity
> problem. I drop to a command line prompt and type 'nbstat', that
> right 'nbstat', which is a typo. A batch file in the WINNT directory
> created by user with normal access privileges called 'nbstat.bat'
> executes. It dutifully reports "'nbstat' is not recognized as an
> operable program or batch file." and executes whatever code it wants
> with Administrator privileges. The fake error message pretty much
> guarantees I won't notice this.
>
> Far fetched? Ask yourself if you have ever made a typo at the Command
> line? Microsoft has made a GRAVE ERROR by allowing a system directory
> to be world writeable. People need to be aware of this problem and
> some action needs to be taken so this can be fixed.

Naming a file cmd.exe and placing it in the root of %SYSTEMDRIVE% will happily run this instead of the one in %SYSTEMROOT% if 'cmd' is invoked from the start/run box, regardless of my systemdrive (E:) being later in the path than my systemroot. I believe this is old news...

--
Knud Erik Højgaard

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]