Thursday, June 4, 2009
Whilst assessing vulnerabilities in the PC build I have I found the following. Now Ialways get pissed off when I hear people rattle on about the AT command and using thatto get a SYSTEM shell. In my experience after XP SP2 you’re required to be an adminto run AT, so what’s the point really?So rather than just focussing on holes in the Microsoft system, which frankly I'm notreally talented enough to find much there, I decided to look at the configuration andimplementation. In my opinion I would have much better luck looking for mistakesmade by people not necessarily trying to secure a system but more trying to get a systemto work.In this post I'll focus a common mistake made by the guys who build the system whichallows a standard user to escalate to have full system privileges.
Looking at Services
It would be nice to use WMIC to look for services that are in a directory that I can writeto and that start automatically:wmic service get name,startmode,pathname | find /i "auto"However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that Ihave to go through each service to get that path to the executable. A better tool I foundfor this is MSInfo32.exeAs can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with anaccount with some decent privileges.OK, VNC looks pretty good.I go to the directory that VNC runs from and rename the executable. I copyTaskmgr.exe from System32 to the VNC directory and rename it as the VNCexecutable.