[16136] in bugtraq
reporting local security problems for WinNT (Re: Escalation of
daemon@ATHENA.MIT.EDU (Vladimir Dubrovin)
Tue Aug 8 12:58:16 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <7571.000808@sandy.ru>
Date: Tue, 8 Aug 2000 13:42:32 +0400
Reply-To: Vladimir Dubrovin <vlad@sandy.ru>
From: Vladimir Dubrovin <vlad@sandy.ru>
X-To: Chris Foster <frostman@carolina.rr.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001a01c00089$9b2b4e40$74565d18@carolina.rr.com>
Hello Chris Foster,
07.08.00 20:07, you wrote: Escalation of privileges;
C> 2. Browse to the root directory for the NAV installation and rename
C> navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:
Another example: AVP users can easily obtain Control Center privileges
(Local System by default - this are admin privs) by trojaning
"C:\Program Files\AntiViral Toolkit Pro\avpcc.exe" - this program
starts as a service. It's also possible to operate in kernel mode via
C:\Program Files\AntiViral Toolkit Pro\FSAVP.SYS
According to MS recommendations only Administrators group should have
Write permission for Program Files and WINNT directories. Otherwise
user can easily trojan any executable, including system services. This
problem is not NAV specific, and this is a problem of poor
configuration, not a bug.
I think all troubles with WinNT local security must be reported for
configuration, described in
http://www.microsoft.com/technet/security/c2config.asp
because in default configuration there are a lot of ways to break
local security for Windows NT via file and registry permissions.
Vladimir Dubrovin Sandy, ISP
Sandy CCd chief Customers Care dept
http://www.sandy.ru Nizhny Novgorod, Russia
http://www.security.nnov.ru
