[13566] in bugtraq
Re: Windows 2000 Run As... Feature
daemon@ATHENA.MIT.EDU (David LeBlanc)
Tue Jan 25 16:41:40 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.20000125090057.044ed330@mail.mindspring.com>
Date: Tue, 25 Jan 2000 09:00:57 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: jjohanss@bu.edu, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000b01bf667a$4e90f7f0$026fa8c0@bu.edu>
At 08:45 AM 1/24/00 -0500, Jesper M. Johansson wrote:
>>In all the hubbub over whether the semantic of the Run As... feature
>>in Windows 2000, a much more important shortcoming is that this is
>>the first time (I know of) that the system asks for your password
>>through a mechanism other than the trusted path (ctrl-alt-del to
>>login, ctrl-alt-del to change password). This is an unfortunate
>>compromise in an otherwise useful feature.
>How much of a compromise is it really? I just looked at the executable
>and it seems to be reasonably tightened down with only RX for Users,
>PowerUsers and Everyone. Unless there is some backdoor to replace the
>directory entry that's about the best we can do.
There's a couple of additions - first of all, there's no way to script the
password - it is going to prompt you for it, so that's a little bit of an
improvement.
As has been discussed here before, there are a number of places that a
Windows system will look for a binary, so to be really sure that you're
getting the one in system32, use the Run button from the start menu - it
only looks in %systemroot% for things.
I've often been frustrated trying to figure out _which_ binary I'm running,
so I wrote this. BTW, the documentation on the SearchPath() API tells you
just where the OS looks, and in what order. A couple of lines are wrapped.
===================== which.c ==============================
#include <windows.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
char buffer[1024];
DWORD buflen = 1024;
char* filepart;
DWORD ret;
char* extension;
if(argc < 2)
{
printf("Usage is %s [filename]\n", argv[0]);
printf("Simple wrapper around the SearchPath function\n");
printf("Comments to: dleblanc@mindspring.com\n");
return -1;
}
//if they don't supply the .exe, give them one
extension = strrchr(argv[1], '.');
//note - if you really wanted, you could try other extensions
//but most of what NT runs on is .exe, so..
if(extension == NULL)
ret = SearchPath(NULL, argv[1], ".exe", 1024, buffer,
&filepart);
else
ret = SearchPath(NULL, argv[1], NULL, 1024, buffer,
&filepart);
if(ret == 0)
{
printf("Cannot find %s\n", argv[1]);
}
else if(ret < 1024)
{
printf("%s\n", buffer);
}
else
{
//if you want to be fancy, put it in a loop, malloc the
//buffer, and all that. Most of the time, this works.
//if it doesn't work for you, either use a bigger buffer
//or get fancy
printf("Path longer than 1024 characters\n");
printf("If you really need to display paths > 1024\n");
printf("Go write your own, or complain to
dleblanc@mindspring.com\n");
}
return 0;
}
David LeBlanc
dleblanc@mindspring.com
