Re: Windows 2000 Runas weirdness

From: ian (cheekenat_private)
Date: Tue Dec 18 2001 - 16:01:30 PST

Next message: frog frog: "Serious Hole in IMessenger ( php-nuke )"

Previous message: Valdis.Kletnieksat_private: "Re: How to trace system level call in AIX"
In reply to: jesperhtat_private: "Windows 2000 Runas weirdness"
Next in thread: flumeat_private: "Re: Windows 2000 Runas weirdness"
Reply: flumeat_private: "Re: Windows 2000 Runas weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

but the RunAs service runs as LocalSystem....

which actually it has to do in order to assign a new token
to the process it's launching for you (CreateProcessAsUser
requires SE_TCB_PRIVILEGE)

although you say it's the .exe crashing and not the service...
interesting
to try it and see if the service is affected also.. (it runs in
services.exe apparently)

ian


jesperhtat_private wrote:

> Hiyas,
> Here is an interesting bug I found with the
> Win2k "runas" command.  Could be exploitable, but I
> dont think that it would do much good
> as the error that comes up when you issue the
> command refers to "runas.exe" in the title bar.
>
> Heres what happens:
>
> C:\>runas /user:administrator
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> Enter password for administrator:(can be any
> password, doesnt have to be the right one...)
> Attempting to
> start "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A" a
> s user "administrator"...
>
> I then gives a "The instruction at "0x77fcbcd2"
> referenced memory at "0x00000100". The memory
> could not be "written"." error.
>
> Let me know what you guys think/find out, im
> curious :-).
>
> -Scarabus
> jesperhtat_private

Next message: frog frog: "Serious Hole in IMessenger ( php-nuke )"
Previous message: Valdis.Kletnieksat_private: "Re: How to trace system level call in AIX"
In reply to: jesperhtat_private: "Windows 2000 Runas weirdness"
Next in thread: flumeat_private: "Re: Windows 2000 Runas weirdness"
Reply: flumeat_private: "Re: Windows 2000 Runas weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 16:18:53 PST