> This begs the question, does the user have the privilege to stop and
> start services? And can the user change the contents of these
> environmental variables?
1/ Services are like any Windows object, they are protected by
DACL/SACL. You can list user rights on services using many tools, such
as the SC command from Windows Resource Kit:
C:\>sc sdshow alerter
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
[ This is SDDL language, have a look on Google or MSDN if you want to
know more ]
There has been a thread recently on the subject of services ACL:
http://sainstitute.org/archive/1/378514/2004-10-13/2004-10-19/0
And yes, users have the right to start/stop “some” services. I cannot
remember the full list right now, but it is around 10 services.
2/ Did someone mention that the default screen saver will run as SYSTEM
when no one is logged on? This technique still requires "off line"
access to the NTFS file system, though.
3/ I think the conclusion of this thread is that Windows is quite a
secure OS; you need a "real" exploit to increase your user rights.
However there has always been many more local exploits than remote.
Remember POSIX and OS/2 subsystems exploitation, Debugging Subsystem
exploitation (DebPloit), 16-bit subsystem exploitation (NTVDM),
predictable named pipes impersonation, and the quite new Shatter Attacks
that hold endless possibilities...
My favorite is:
F1/Jump to URL.../CMD.EXE
targeting a window running under the SYSTEM context. It works well
against antivirus, personal firewalls and the like.
http://lists.virus.org/bugtraq-0310/msg00230.html
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail: nicolas.ruff (at) edelweb.fr
-----------------------------------
