Ok, here goes. Last week, I attended the Network Security Fundamentals course for the SCNP program. You can find information about it here . Among the topics we covered in the class were a few exploits. Apparently, it's pretty easy to take advantage of the default path since it includes both the \WINNT\SYSTEM32 and \WINNT by default. Picture this, you or someone else with administrative priveledges to the network may often work from a run prompt or command line. By any available means, someone could copy a batch file with the same name as the normal executable to a location in the PATH, preferrably in the first location, and rename the valid one. Inside the batch file, the attacker could execute the command necessary to promote a user's group membership from a command line, after which the renamed executable would be run giving the Administrator the program/utility they were attempting to access. Now, by default, a Command prompt would flash on the screen, and could be noticed easily by the Administrator. However, the attacker could easily minimize this window, or even get rid of it altogether. The example we used in class was regedit. Now, the thing with Windows 2000 is that it will rebuild or replace a renamed system file such as this one once it detects that it has been renamed/removed. We were reminded of this when we renamed regedit.exe to regeditr.exe, and low and behold, another one appeared to take its place. We got around this by placing the batch file called regedit.bat in a higher location in the PATH so it was found first. In this case, the System32 directory is parsed first, so that's where we put it. Afterwards, it worked like a charm. When all was said and done, we had a normal useraccount that was bumped up to an Administrator. Just think, it doesn't have to be a server; it could be that your Techs have Administrative access to the machines in your office space to perform their duties; however, occasionally, someone (such as yourself) may have to log into a machine - or could be led to do so in the course of troubleshooting a problem, and wham! Just like that, you have granted the insider Domain Administrator priveledges without even knowing it. I know you may be thinking: what about the batch file - that could easily be deleted automatically, or manually, erasing all shreds of evidence that could implicate the attacker. Below, I have attached an email that I received a few days after I took the class, coincidentally speaking of pretty much the same exploit!




-----Original Message-----
From: Eric Howard [mailto:[email protected]]
Sent: Monday, October 28, 2002 10:08 AM
To: [email protected]
Subject: Priviledge escalation attack



This is probably not news for many, but I thought I would throw it out for

discussion. Microsoft, in my opinion, has committed a grave mistake in

the NTFS permission scheme for the WINNT directory. ANY user may create

file in this directory, even AFTER the C2 security rollups are applied.



Why is this an issue? Well, I tend to work a lot on the command-line, as

do many other people when trouble-shooting systems. WINNT is by default

in the PATH of every user on the system.



Scenario:



I (who am logged in as Administrator) am having a network connectivity

problem. I drop to a command line prompt and type 'nbstat', that

right 'nbstat', which is a typo. A batch file in the WINNT directory

created by user with normal access privileges called 'nbstat.bat'

executes. It dutifully reports "'nbstat' is not recognized as an

operable program or batch file." and executes whatever code it wants with

Administrator privileges. The fake error message pretty much guarantees I

won't notice this.



Far fetched? Ask yourself if you have ever made a typo at the Command

line? Microsoft has made a GRAVE ERROR by allowing a system directory to

be world writeable. People need to be aware of this problem and some

action needs to be taken so this can be fixed.



-- Eric --

I know this is more than likely already known, but I thought it was good information for the community anyway. Enjoy!