Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: XP local privilege escalation demonstated SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
XP local privilege escalation demonstated
An excellent Flash animation showing the latest XP local privilege escalation has been published and it clearly demonstrates how trivial it is to "upgrade" from an unprivileged user to SYSTEM.  Fundamentally until this is patched there is a simple "route to power" for any user sitting in front of a Windows sytem.

How does it work?

It is actually quite simple: normally a scheduler is used for running non-interactive programs unattended, for example Anti-virus updates (in the "baddies" world it is used for scheduling netcat backdoors but this is hardly "normal usage"). 

In this example the user decides to schedule running "cmd.exe" (the Windows command line prompt) rather than a non-interactive program.  When the scheduler triggers it starts cmd.exe which opens a new command-line window.

The problem is that the scheduler runs as the "SYSTEM" user which under Windows is an all-powerful user used for system tasks (the Windows equivalent of "root" under Unix) and, as this video demonstrate, it does not "drop privileges" (that is to say: "take on the privileges of the user requesting the scheduled job") before running the command.

When the command is finally run at the specified time it therefore hands you a command line prompt with SYSTEM privileges.

Is there a fix? The simplest "fix" would be to disable the scheduler system-wide as starting it requires administrative privileges although this then ends up preventing Anti-Virus updates which are normally run in this way... so I guess we have to wait for Microsoft to release a patch.

Important note: do not watch this at work with your loudspeakers turned on (bad language disclaimer...).  Headphones strongly recommended.

28 Posts
Aug 3rd 2006

Sign Up for Free or Log In to start participating in the conversation!