Re: Windows 2000 Run As... Feature

From: David LeBlanc (dleblancat_private)
Date: Tue Jan 25 2000 - 09:00:57 PST

Next message: Steve VanDevender: "Re: S/Key & OPIE Database Vulnerability"

Previous message: Olaf Kirch: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Maybe in reply to: David Terrell: "Windows 2000 Run As... Feature"
Next in thread: Ben Russell: "Re: Windows 2000 Run As... Feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 08:45 AM 1/24/00 -0500, Jesper M. Johansson wrote:
>>In all the hubbub over whether the semantic of the Run As... feature
>>in Windows 2000, a much more important shortcoming is that this is
>>the first time (I know of) that the system asks for your password
>>through a mechanism other than the trusted path (ctrl-alt-del to
>>login, ctrl-alt-del to change password).  This is an unfortunate
>>compromise in an otherwise useful feature.

>How much of a compromise is it really? I just looked at the executable
>and it seems to be reasonably tightened down with only RX for Users,
>PowerUsers and Everyone. Unless there is some backdoor to replace the
>directory entry that's about the best we can do.

There's a couple of additions - first of all, there's no way to script the
password - it is going to prompt you for it, so that's a little bit of an
improvement.

As has been discussed here before, there are a number of places that a
Windows system will look for a binary, so to be really sure that you're
getting the one in system32, use the Run button from the start menu - it
only looks in %systemroot% for things.

I've often been frustrated trying to figure out _which_ binary I'm running,
so I wrote this.  BTW, the documentation on the SearchPath() API tells you
just where the OS looks, and in what order.  A couple of lines are wrapped.

===================== which.c ==============================
#include <windows.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
        char buffer[1024];
        DWORD buflen = 1024;
        char* filepart;
        DWORD ret;
        char* extension;

        if(argc < 2)
        {
                printf("Usage is %s [filename]\n", argv[0]);
                printf("Simple wrapper around the SearchPath function\n");
                printf("Comments to: dleblancat_private\n");
                return -1;
        }

        //if they don't supply the .exe, give them one
        extension = strrchr(argv[1], '.');

        //note - if you really wanted, you could try other extensions
        //but most of what NT runs on is .exe, so..
        if(extension == NULL)
                ret = SearchPath(NULL, argv[1], ".exe", 1024, buffer,
&filepart);
        else
                ret = SearchPath(NULL, argv[1], NULL, 1024, buffer,
&filepart);

        if(ret == 0)
        {
                printf("Cannot find %s\n", argv[1]);
        }
        else if(ret < 1024)
        {
                printf("%s\n", buffer);
        }
        else
        {
		   //if you want to be fancy, put it in a loop, malloc the
                //buffer, and all that.  Most of the time, this works.
                //if it doesn't work for you, either use a bigger buffer
                //or get fancy
                printf("Path longer than 1024 characters\n");
                printf("If you really need to display paths > 1024\n");
                printf("Go write your own, or complain to
dleblancat_private\n");
        }
        return 0;
}
David LeBlanc
dleblancat_private

Next message: Steve VanDevender: "Re: S/Key & OPIE Database Vulnerability"
Previous message: Olaf Kirch: "Re: majordomo 1.94.5 does not fix all vulnerabilities"
Maybe in reply to: David Terrell: "Windows 2000 Run As... Feature"
Next in thread: Ben Russell: "Re: Windows 2000 Run As... Feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:28 PDT