There are many well-known methods of privilege escalation on Windows NT/2000/XP. Several, like buffer overflows, are generic and non-Windows specific. An example of one specific to Windows is a technique I discovered in 2000, known as named pipe instance creation race conditions. Basically, if a privileged process, like the Service Control Manager, attempts to connect to a pipe that an attacker can guess and be the first to create it, then the attacker can impersonate the client (using ImpersonateNamedPipeClient) to elevate his privileges. I intend to release a paper documenting the discovery and alleviation of these sometime within the next few weeks. Here are some resources for the interim: http://www.guardent.com/A0108022000.html http://online.securityfocus.com/archive/1/74523 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull etin/MS00-053.asp http://www.microsoft.com/technet/security/bulletin/MS01-031.asp Another interesting privilege escalation bug was discovered by Todd Sabin: http://razor.bindview.com/publish/advisories/LPCAdvisory.html Regards, Blake Watts http://www.securityinternals.com ----- Original Message ----- From: "Sebastian Muņiz" <smunizat_private> To: <vuln-devat_private> Sent: Tuesday, March 12, 2002 11:35 AM Subject: Windows Elevation of privileges Does anyone know where can i find some papers about Elevation of privileges on Windows (NT/2000) or source code of actual exploits of the kind (like sechole) ?? Thanks!!!! Sebastian Muņiz Elinpar S.A..- Ingenieria / Serv. Profesionales
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 23:13:57 PST