Prediction: COM and DCOM are where the major holes in Windows 2000 are going to be found. As an example on Windows 2000 Professional (Beta 3) Run regsvr32 /n /i:U shell32.dll This registers the shell32.dll - but also note it starts the MSInstaller Service (msiexec.exe). regsrv32.exe loads msi.dll and msi.dll uses COM to COCreate[an]Instance() of of the MSIServer. regsvr32.exe speaks to the SCM (svchost.exe), svchost.exe speaks to services.exe and services.exe starts opens the HKCR\AppID\{000C101...} key and reads in the LocalService value of MSIServer, navigates to the HKLM\CurrentControlSet\Services\MSIServer key and starts the service's image file - msiexec.exe. By changing the LocalService value to Spooler running regsvr32 /n /i:U shell32.dll then starts the Spooler service. Easy or what? Problem 1) Power user has NTFS permissions by default to change spoolsv.exe Problem 2) Power user has the Set Value permission for the HKCR\AppID\{000C101...} registry key. Problem 1 + Problem 2 = Power User to Administrator I haven't tested this yet on Server but I'd imagine this would go for the likes of Backup and Server Operators. I've written (well I wrote 1/10th and the MFC wizard did the rest ;-) an MFC app that will edit the registry (changing MSIServer to Spooler), call COleDispatchDriver cdd; cdd.CreateDispatch(_T("{000C101C-0000-0000-C000-000000000046}")); which starts the spooler service. Copying cmd.exe over spoolsv.exe and running the program drops you into a Command Prompt with system privileges. Talking about copying cmd.exe over spoolsv.exe - the Protect Storage service doesn't like it. It'll pop up a window and tell you to set it back. Humour the pop up and click on OK - see spoolsv.exe? That's your cmd.exe disguised as spoolsv.exe - right click on it and click on Open - winlogon.exe opens it for you - not on your desktop. But who cares - just overwrite spoolsv.exe with a program that'll do the dirty work for you. If anyone wants a copy mail me. Anyway - did I talk about the telnet service and COM? I did in another mail so I won't reiterate here. While we're at it: A few other things to be fixed before the Final Product comes out: Buffer overrun in regsvr32.exe run regsvr32 /n /i:U AAAAAAAAAAlots of AAAAAAs Wouldn't like to have that in an INF file. Buffer overrun in wscript.exe Should a non-power user be able to add another user account using the net user command? Clicking on Start -> Run Explorer looks in the root of the drive for the exe or app for any command run from here eg. C:\ before checking the %systemroot% or %systemroot%\system32 directory. Not good for trojans. Been too long a night - so g'nite Cheers, David Litchfield http://www.arca.com http://www.infowar.co.uk/mnemonix/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:55 PDT