OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Windows 2000 Run As... Feature

Re: Windows 2000 Run As... Feature

Subject: Re: Windows 2000 Run As... Feature
From: Jesper M. Johansson (jjohanssBU.EDU)
Date: Mon Jan 24 2000 - 07:45:53 CST

>In all the hubbub over whether the semantic of the Run As... feature
>in Windows 2000, a much more important shortcoming is that this is
>the first time (I know of) that the system asks for your password
>through a mechanism other than the trusted path (ctrl-alt-del to
>login, ctrl-alt-del to change password). This is an unfortunate
>compromise in an otherwise useful feature.

How much of a compromise is it really? I just looked at the executable
and it seems to be reasonably tightened down with only RX for Users,
PowerUsers and Everyone. Unless there is some backdoor to replace the
directory entry that's about the best we can do. Note that the SU
command in the 4.0 Resource Kit also has this problem. Except that there
the default ACL is considerably less restrictive. On my machine,
Everyone has Modify rights to that command, as well as to the SUSS SU
service. I assume that there are no special rights set on these files
and that they simply take the permissions from the parent directory upon
installation. Something to think about...

Note that the ACL does of course not guard against presenting a user
with the command line dialog without having to type in the RunAs
command. However, common sense is used to guard against that. Also, the
trusted path did not preclude the use of that attack either. I have
actually seen one where users were presented with a login screen without
the three-finger salute, and simply entered their passwords.

Jesper M. Johansson

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 19:24:31 CST