Prediction: COM and DCOM are where the major holes in Windows 2000 are going
to be found.
As an example on Windows 2000 Professional (Beta 3)
Run regsvr32 /n /i:U shell32.dll
This registers the shell32.dll - but also note it starts the MSInstaller
Service (msiexec.exe). regsrv32.exe loads msi.dll and msi.dll uses COM to
COCreate[an]Instance() of of the MSIServer. regsvr32.exe speaks to the SCM
(svchost.exe), svchost.exe speaks to services.exe and services.exe starts
opens the HKCR\AppID\{000C101...} key and reads in the LocalService value of
MSIServer, navigates to the HKLM\CurrentControlSet\Services\MSIServer key
and starts the service's image file - msiexec.exe. By changing the
LocalService value to Spooler running regsvr32 /n /i:U shell32.dll then
starts the Spooler service. Easy or what?
Problem 1) Power user has NTFS permissions by default to change spoolsv.exe
Problem 2) Power user has the Set Value permission for the
HKCR\AppID\{000C101...} registry key.
Problem 1 + Problem 2 = Power User to Administrator
I haven't tested this yet on Server but I'd imagine this would go for the
likes of Backup and Server Operators.
I've written (well I wrote 1/10th and the MFC wizard did the rest ;-) an MFC
app that will edit the registry (changing MSIServer to Spooler), call
COleDispatchDriver cdd;
cdd.CreateDispatch(_T("{000C101C-0000-0000-C000-000000000046}"));
which starts the spooler service. Copying cmd.exe over spoolsv.exe and
running the program drops you into a Command Prompt with system privileges.
Talking about copying cmd.exe over spoolsv.exe - the Protect Storage service
doesn't like it. It'll pop up a window and tell you to set it back. Humour
the pop up and click on OK - see spoolsv.exe? That's your cmd.exe disguised
as spoolsv.exe - right click on it and click on Open - winlogon.exe opens it
for you - not on your desktop. But who cares - just overwrite spoolsv.exe
with a program that'll do the dirty work for you.
If anyone wants a copy mail me.
Anyway - did I talk about the telnet service and COM? I did in another mail
so I won't reiterate here.
While we're at it: A few other things to be fixed before the Final Product
comes out:
Buffer overrun in regsvr32.exe
run regsvr32 /n /i:U AAAAAAAAAAlots of AAAAAAs
Wouldn't like to have that in an INF file.
Buffer overrun in wscript.exe
Should a non-power user be able to add another user account using the net
user command?
Clicking on Start -> Run
Explorer looks in the root of the drive for the exe or app for any command
run from here eg. C:\ before checking the %systemroot% or
%systemroot%\system32 directory. Not good for trojans.
Been too long a night - so g'nite
Cheers,
David Litchfield
http://www.arca.com
http://www.infowar.co.uk/mnemonix/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:55 PDT