October 28th, 2002, 11:22 PM
Escalation of rights in NT/2k
Ok, here goes. Last week, I attended the Network Security Fundamentals course for the SCNP program. You can find information about it here . Among the topics we covered in the class were a few exploits. Apparently, it's pretty easy to take advantage of the default path since it includes both the \WINNT\SYSTEM32 and \WINNT by default. Picture this, you or someone else with administrative priveledges to the network may often work from a run prompt or command line. By any available means, someone could copy a batch file with the same name as the normal executable to a location in the PATH, preferrably in the first location, and rename the valid one. Inside the batch file, the attacker could execute the command necessary to promote a user's group membership from a command line, after which the renamed executable would be run giving the Administrator the program/utility they were attempting to access. Now, by default, a Command prompt would flash on the screen, and could be noticed easily by the Administrator. However, the attacker could easily minimize this window, or even get rid of it altogether. The example we used in class was regedit. Now, the thing with Windows 2000 is that it will rebuild or replace a renamed system file such as this one once it detects that it has been renamed/removed. We were reminded of this when we renamed regedit.exe to regeditr.exe, and low and behold, another one appeared to take its place. We got around this by placing the batch file called regedit.bat in a higher location in the PATH so it was found first. In this case, the System32 directory is parsed first, so that's where we put it. Afterwards, it worked like a charm. When all was said and done, we had a normal useraccount that was bumped up to an Administrator. Just think, it doesn't have to be a server; it could be that your Techs have Administrative access to the machines in your office space to perform their duties; however, occasionally, someone (such as yourself) may have to log into a machine - or could be led to do so in the course of troubleshooting a problem, and wham! Just like that, you have granted the insider Domain Administrator priveledges without even knowing it. I know you may be thinking: what about the batch file - that could easily be deleted automatically, or manually, erasing all shreds of evidence that could implicate the attacker. Below, I have attached an email that I received a few days after I took the class, coincidentally speaking of pretty much the same exploit!
From: Eric Howard [mailto:email@example.com]
Sent: Monday, October 28, 2002 10:08 AM
Subject: Priviledge escalation attack
This is probably not news for many, but I thought I would throw it out for
discussion. Microsoft, in my opinion, has committed a grave mistake in
the NTFS permission scheme for the WINNT directory. ANY user may create
file in this directory, even AFTER the C2 security rollups are applied.
Why is this an issue? Well, I tend to work a lot on the command-line, as
do many other people when trouble-shooting systems. WINNT is by default
in the PATH of every user on the system.
I (who am logged in as Administrator) am having a network connectivity
problem. I drop to a command line prompt and type 'nbstat', that
right 'nbstat', which is a typo. A batch file in the WINNT directory
created by user with normal access privileges called 'nbstat.bat'
executes. It dutifully reports "'nbstat' is not recognized as an
operable program or batch file." and executes whatever code it wants with
Administrator privileges. The fake error message pretty much guarantees I
won't notice this.
Far fetched? Ask yourself if you have ever made a typo at the Command
line? Microsoft has made a GRAVE ERROR by allowing a system directory to
be world writeable. People need to be aware of this problem and some
action needs to be taken so this can be fixed.
-- Eric --
I know this is more than likely already known, but I thought it was good information for the community anyway. Enjoy!
Opinions are like
holes - everybody\'s got\'em.
October 29th, 2002, 01:11 AM
Yes it seems daft that some of the directories in the PATH are world writeable (by default).
However, Windows does not usually run binaries out of the path but instead uses hard-coded full paths for everything, like the "start menu".
Also, many windows applications are not designed for secure multi-user use, and are installed in world-writeble directories by default, or rely on using files in world-writable directories where they may be manipulated by other users.
As there have been so many attempts at making Windows multi-user over the years (for a long time, many multiuser Windows installations had a private "Windows" directory for each user), it is very difficult for applications to make assumptions about how they are supposed to work.
However only in recent years have truly multi-user installations been available and these created their own problems - like Windows NT Terminal server. Needless to say, I expect they're going in the right direction. At least everything is now supposed to be in the user's home directory which is writeable only by that user by default.
October 29th, 2002, 01:26 AM
Wow, this reminds me of viruses that infect legitimate windows 2k/xp services set to load on startup, and are therefore loaded with full system access privileges.
Regarding the system directories, will setting admin-only access privileges on the WINNT directory deny non-admins to write to anything below WINNT, recursively, or will it only deny access to files already existing? I know it won't stop direct system-called writes (dunno if this is the correct term), but will it stop users? If so, it may be a way to reduce the risk of such a vulnerability.
Thanks for the info!
Have you heard about Citrix Metaframe XP? It uses a terminal-server-like environment, and cheap dummy terminals can connect to the server--with only an ethernet wire, a little box the size of a couple pizza-pockets, and a mouse/keyboard/monitor. Amazing, and the overall cost savings, according to an ITS guy from a nearby hospital considering implementing this setup, is roughly 40%. I've seen somewhere an online demo of Metaframe, and it loads visio for people to try, but I can't for the life of me find the link. Hope this info is useful to someone.