Priviledge Escalation Exploit for WinXP

seamus

Sorry if this has been posted before. Basically a demonstration video of escalating priviledges from "Administrator" to "SYSTEM" on a WinXP machine.

http://isc.sans.org/diary.php?storyid=1542&isc=8679801a01ff5f4fab0f51e866eac4f3

I'm assuming the exploit is relevant for any Win32 OS, certainly I just tested it on my own machine, and lo and behold....

I had thought that the AT command was deprecated and had been removed from XP and 2k, but clearly I'm wrong. The XP/2k/2k3 equivalent - SCHTASKS - doesn't have this ability as it creates all new tasks under the context of the user who creates them.

Is it stoppable? You could delete the AT command, add it into virus definition files as a known "bad file", etc, but if a user has administrator access, there's very little you can do to stop them putting the tool back on the machine and disabling any safeguards you have in place.

Are there really any extra "abilities" by running under the system context? Surely if a user already has admin access, then there's very little you can stop them from doing already, so this exploit would be the least useful.

Martyr

if you look at CmdAsUser (which works like SU on *NIX)
you can see that, as long as you're administrator, you can do anything you want on a system.

you could disable task scheduler in services list, or deny access to AT command using CACLS.EXE, but as you say, somebody could add a program that can add/remove scheduled tasks or services if they're administrator anyway.

not much can be worthwhile doing in this situation.

when an administrator, you only have to run some code in order to switch to SYSTEM context, so i don't think this is an exploit really.
but i could be wrong.