You had stated that replacing the screensaver took special privileges, however I was showing a way to get around those means. Sure, if I had physical access to the machine I could do a lot worse, but personally I feel it's a blended problem. It does need to be restricted physically, however I don't think Microsoft should be running screensavers which can easily be replaced as System.
3APA3A wrote:
Dear Matt Andreko,
Ability to boot machine from bootable to CD is not a problem of Windows security, it's more problem of physical security. To prevent your machine from booting from bootable CD reliably you can use certified BIOS versions (HP and IBM have few), special marks and devices like Dallas Lock, Secret Net, etc.
--Friday, November 26, 2004, 6:42:34 PM, you wrote to [EMAIL PROTECTED]:
MA> Perhaps this is just an amateurish question, but what if I booted off of
MA> a knoppix cd and replaced the current screensaver with my "specially
MA> crafted" screensaver? Or using the bootdisk at MA> http://home.eunet.no/~pnordahl/ntpasswd/ to edit the registry value?
MA> I know you may think that this is useless, since if you boot off the cd MA> or disk, you already have better access to the machine, however doing MA> this method gets you admin access WITHOUT changing the password, correct?
MA> Again, perhaps I'm misunderstanding, but wouldn't this work, and still MA> show that the vulnerability in the screensaver code is valid, and needs MA> to be updated? It could allow someone to get local admin access to the MA> machine without changing the password.
MA> 3APA3A wrote:
Dear Matthew Walker,
Permissions for HKEY_USERS\Control Panel\Desktop allow modification to only members of Administrators and System.
Power Users can install software, so they can replace any file in SYSTEM32 directory, including screensaver. It allows to trojan any system file (for example, one can replace winspool.exe with cmd.exe to obtain SYSTEM permissions). It's by design and it's documented. Just never assign users in Power Users group, as Microsoft recommends you. I see no security vulnerability here.
--Wednesday, November 24, 2004, 8:36:14 PM, you wrote to [EMAIL PROTECTED]:
MW> To Whom it May Concern; MW> The Original Post is http://www.securityfocus.com/bid/11711
MW> On Windows XP all releases, when you replace, or change the MW> screensaver displayed on the login screen with a specially crafted MW> version designed to execute programs, those programs are launched MW> under the SYSTEM SID, IE: they are given automatically the highest MW> access level avalible to Windows. This level is not accessible even MW> to administrators.
MW> This flaw is important because while one would need Power User MW> privledges or above to change the Login Screensaver, by default, any MW> user with the exception of guest can replace the login screensaver MW> file with a modified version. In theory, any determined user could MW> execute ANYTHING with SYSTEM privledges. A similar flaw exists in MW> Win2K, but Microsoft has ignored it.
MW> Sincerly; MW> Matt Walker
MW> _______________________________________________ MW> Full-Disclosure - We believe in it. MW> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
