You're missing one thing with your scenario- that batch file will run in
the context of the logged-on user. Unless the logged-on user has
Administrative rights, or unless the batch file executes a runas (which
would mean that the user could view the credentials used for this),
there is no privileged execution. Simply dropping a file into system
directories does not grant it administrative access.

Laura

> -----Original Message-----
> From: Eric Howard [mailto:dlydl7502sneakemail.com]
> Sent: Monday, October 28, 2002 10:08 AM
> To: focus-mssecurityfocus.com
> Subject: Priviledge escalation attack
>
>
>
>
> This is probably not news for many, but I thought I would
> throw it out for
> discussion. Microsoft, in my opinion, has committed a grave
> mistake in
> the NTFS permission scheme for the WINNT directory. ANY user
> may create
> file in this directory, even AFTER the C2 security rollups
> are applied.
>
> Why is this an issue? Well, I tend to work a lot on the
> command-line, as
> do many other people when trouble-shooting systems. WINNT is
> by default
> in the PATH of every user on the system.
>
> Scenario:
>
> I (who am logged in as Administrator) am having a network
> connectivity
> problem. I drop to a command line prompt and type 'nbstat', that
> right 'nbstat', which is a typo. A batch file in the WINNT directory
> created by user with normal access privileges called 'nbstat.bat'
> executes. It dutifully reports "'nbstat' is not recognized
> as an operable program or batch file." and executes whatever
> code it wants with
> Administrator privileges. The fake error message pretty much
> guarantees I
> won't notice this.
>
> Far fetched? Ask yourself if you have ever made a typo at
> the Command
> line? Microsoft has made a GRAVE ERROR by allowing a system
> directory to
> be world writeable. People need to be aware of this problem and some
> action needs to be taken so this can be fixed.
>
> -- Eric --
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]