Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Admin rights via backdoors

from [Demonic Software] Network Security [Permanent Link]
Subject: Re: Admin rights via backdoors
Date: Fri, 9 Mar 2007 13:59:12 -0600 
It seem like under the general assumption where the developer is using
their own access rights seems flawed, because the developer could code
something in their that performs something like a connect back after a
port knock.

In an example scenario, the developer could employ a listener on a
port, and when a probe or some other msg is sent to that port, the
application sends a shell to the remote host on another port hard
coded into the source.

When the connect back is performed, I think is would be performed with
the privileleges held by the application process that spawns the
shell.  Then depending how the set-up is the developer can possibly
escalate their privileges and set-up their own account.  I am not sure
if this would actually fly in an AD environment, since I have never
worked in an AD environment, so admittedly I could be wrong about this
scenario.

Does this type of scenario fit what you were looking for?

As far as code goes,  I am not sure how to shovel out the shell from
an application, but the process would be the following:

1) Start exe
2) spawn a listener thread on the port
3) other thread does something, the listener thread waits for a knock
at the door
4) listener hear knock, looks at IP addr, starts a connection to IP,
and then a PIPE between a cmd shell IP, while the remote host listens
for the connection with netcat or something

Adam


On 3/9/07, WALI <hkhasgiwale@gmail.com> wrote: 
Hi Guys

I do understand the risks of seeing open ports on servers using nmap/nessus
but need to demonstrate a concept to my managers, the need for segregating
software developers and production environments, especially pertaining to
an financial application being built in-house.

I maintain that getting admin rights into an application while bypassing
logical access controls flowing down from Active directory or OS level is
trivial for a programmer if he hard codes some backdoor entry ports replete
with usernames and passwords. They disagree that if they have no AD rights
granted on the resource (different AD domains / filers etc), there is no
reason to physically isolate developers from production.

Is my contention conceptually correct? How can I demonstrate this with a
dummy application?



[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  New rootkit detection tool, user
Next by Date:  RE: System service grapher, Scott Ramsdell
Previous by Thread:  Re: Admin rights via backdoors, Adam Pridgen
Next by Thread:  RE: Hacking Book / Information, lee
Indexes:  [Date] [Thread] [Top] [All Lists]