Windows logon.scr hack

Printable View

Show 40 post(s) from this thread on one page

June 11th, 2003, 12:36 PM
SirDice

Quote:

Originally posted here by Maestr0
(System cannot take ownership so buffer overflow attacks will be much harder to achieve)

This is BS. File ownership has absolutely nothing to do with the security context the file will be run under. SYSTEM would still be able to run the file and it would still contain an exploitable buffer overflow.
June 11th, 2003, 12:55 PM
x acidreign x

anyone tried running mmc from that command window? it seems to me that could give you a few choice options as far as security is concerned, I'm going to try it right now
June 11th, 2003, 09:11 PM
Maestr0

SirDice,
I think you may have misunderstood my comment. I said to allow execute permissions on cmd.exe for admin ONLY(This means deny SYSTEM). That means SYSTEM cannot execute cmd.exe OR take ownership of cmd.exe, this way if someone has found a buffer overflow in a program running under a SYSTEM context then the code will not be able to execute cmd.exe

-Maestr0

EDIT: I see that the original statement was unclear, the statement should have read:
"(System cannot take ownership so buffer overflow attacks <which execute these binaries> will be much harder to achieve)"
June 11th, 2003, 10:37 PM
kroltz

did u try this on SP3 for 2k?

im just interested if u tried this on service pack 3 or not, let me know
June 17th, 2003, 03:59 PM
SirDice

Quote:

Originally posted here by Maestr0
SirDice,
I think you may have misunderstood my comment. I said to allow execute permissions on cmd.exe for admin ONLY(This means deny SYSTEM). That means SYSTEM cannot execute cmd.exe OR take ownership of cmd.exe, this way if someone has found a buffer overflow in a program running under a SYSTEM context then the code will not be able to execute cmd.exe

-Maestr0

EDIT: I see that the original statement was unclear, the statement should have read:
"(System cannot take ownership so buffer overflow attacks <which execute these binaries> will be much harder to achieve)"

That's much clearer and correct ;) It's all a matter of payload. So I think this would only protect you from prebuild exploits (scriptkiddie tools?).

I'm not sure about not being able to take ownership. I think you can still take ownership and nuke the ACL in the process (mental note: must try this out).

Quote:

Originally posted here by kroltz
im just interested if u tried this on service pack 3 or not, let me know

Servicepack/hotfix level has nothing to do with it. The default screensaver (when noone is logged on) will run in the SYSTEM context (this is by design). So if you have no or bad ACLs on %windir% this would still work.

Show 40 post(s) from this thread on one page