Hi group, >While were on the topic, I'm wondering what techniques and/or programs >would be >of use to effectively audit windows operating systems and services >specifically >nt based? For this you can use api monitors, registry, disk, etc... Some good tools can be found at www.sysinternals.com. But if you search more specifically for something to target in depth one program or one function in the OS, look at win32 debuggers like SoftIce or alikes. > >For example, privelage escelation, buffer overflows, format strings within >local programs or system services. Other than a few documents on format >strings >and buffer overflows, there isn't much information to help aid in the >auditing >of programs specifically of importance to the windows os. I'm not aware of any papers on that subject but you can always take a look at phrack or at currently existing exploits as this can help you a bit. >Another main question >is how exactly are local privelages gained? For example, under unix only >programs suid/sgid that are vulnerable can sometimes be exploited to gain >root. >Would there be the same thing or something similar to this under an nt >environment? and if so, what? It can be the same in NT: a service (IIS, etc...) that runs habitually under high privileges can give up his privileges by a buffer overflow or an input validation that fools the program into executing custom code supplied by the attacker... >Is there any information that I can be directed to that maybe i'm missing? >as well as programs and other criteria of importance. Also, is there such >things >as race conditions under windows? Signal explotation? or things under >windows >that can be exploited that can't under *nix or vice versa. Humm... race condition? Maybe but it's very unlikely for a NT program to use the temporary directory to put anything exploitable. Signal exploitation? No, AFAIK. Usually in Windows the great thing to exploit is user input; buffer overflows and input validation errors. >Any light or reference to information on this topic, considering it is >broad >scope would be greatly appreceated. I'm not really aware of any general information about Windows's architecture in the field of security. Maybe others in the list will be able to help you more than me about this. --TB _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 15:02:08 PDT