Gynvael Coldwind wrote: > Well it was discussed a couple of times recently on FD that this is a bug, > but it's not a privilege escalation. > If you are admin (and you did mention that it's a prerequisite) you can > execute code as other users anyway - so there's no *escalation* here. > > Therefore it's not a security bug (unless you are using a super old version > of Windows with incorrect ACLs on c:\, which sounds like a bug in itself), > just a "normal" bug. > Not sure if FD is the right place for non-security bugs tbh.
If these bugs were no security bugs: why does Microsoft then publish fixes for (at least some of) them via MSRC bulletins and Windows Update? See <https://technet.microsoft.com/library/security/ms13-058.aspx> or <https://technet.microsoft.com/library/security/ms13-034.aspx> Or pulls drivers whose setup routines show these bugs from Windows Update? See <http://seclists.org/fulldisclosure/2014/May/40> Also try to see these bugs as a blended threat: * during Windows setup Microsoft still creates all user accounts as administrators. * Microsoft sells its unsuspecting users UAC as a security feature, but does NOT inform them (or at least does not inform Joe Average) that UAC is not a security boundary and they should better use a restricted^Wstandard user account instead of the administrator account created during setup. * Joe Average will happily give consent to any program which presents an UAC prompt to him: he wants to get his work done, and this UAC prompt is just an annoyance. BTW: when Windows asks him for consent, this must be right? regards Stefan > Cheers, > On 25 Jul 2014 00:46, "Stefan Kanthak" <[email protected]> wrote: > >> Brandon Perry wrote: >> >> > So, I am very curious how you are finding these? Have you automated this >> or >> > is it manual hand work? >> >> All my Windows installations have >> <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and >> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as >> C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written >> program tries to execute them. >> The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the >> messages are recorded in the event log too where I can find them later. >> >> I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571> >> which logs all command lines of programs linked to USER32.DLL to a file: >> filtering for "C:\Program " at column 1 lists all the culprits. >> >> My third source is a SAFER.Log < >> https://technet.microsoft.com/cc786941.aspx> >> where every execution attempt is logged, including the executables caller: >> filtering this for "\program.exe" or "\program.dll" lists all the culprits. >> >> So basically I just have to sit and wait... >> >> In case one of my customers was hit, and this did not happen during an >> installation, I have to interrogate them what they did... and hope they can >> remember with sufficient detail. >> >> But almost all hits occur during installations or the customization >> following >> an installation (here it was the import of existing mails into a new >> account), >> so these are not so difficult to reproduce. >> >> regards >> Stefan >> >> PS: of course it helps if 8.3 names are disabled and "C:\Program Files\" >> can't >> be aliased as C:\Progra~1\ >> To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE >> before you start the installation of Windows 7 and later. >> For Windows NT5.x you'll have to use \i386\MIGRATE.INF >> >> > On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <[email protected] >> > >> > wrote: >> > >> >> Hi @ll, >> >> >> >> the import function of Windows Mail executes a rogue program >> C:\Program.exe >> >> with the credentials of another account, resulting in a privilege >> >> escalation! >> >> [...] >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
