Hi,

You can also use psexec from
http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx to do
this...

psexec -i -d -s c:\windows\regedit.exe
(Run Regedit interactively in the System account to view the contents of the
SAM and SECURITY keys)

Vista will not allow you to run "at" with "/interactive"...

Miha

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of James D. Stallard
Sent: Tuesday, April 17, 2007 5:30 PM
To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Help with Exploit

> > I've done some googling and am finding that the
> new RR version checks the
> > security hive(which I believe to be 'invisible' to
> regedit-can someone
> > correct me if I'm wrong?).

On a live system, the Security hive is not accessible by default. You need
to change the ACLs so that the Admin has the ability to read the hive.

> I know I am coming late on this one, but registry keys that contain
> NULL characters cannot be accessed through REGEDIT. You have to rely
> on the low-level NTDLL API to access them. It is known "copy
> protection" trick :)

What?

------------------------------------------
Harlan Carvey, CISSP
author: "Windows Forensic Analysis"
http://windowsir.blogspot.com
------------------------------------------

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ? Æ0?=0?
¦ͺVðßä¼Tþ"¬³rªU0
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
960129000000Z
280801235959Z0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0?0
 *?H?÷



0?å¿m£Va-?HqögÞ¹ë·???
?ú8%¯F??ås¨ ?$]
Ìen°ÐV????¡sß´X9knÁöÕ¨¨?ª1¬°4׏4g? ÍâNEVix?ÚÜG?)»6Éc\Åà×-?{¡·2°{0º*/1ªî£gÚÛ

0
 *?H?÷


L?¸?ÆhßîC3]é¦Ë?Mz3ÿ?ô6­Ø?"6hl|BÌó?.Ä?°Oÿ?vùâ¼JéÍ ?
÷Å)ñ?"]¸±Ý#£{%F0yøêK?ÂÈã·ô@<Ã_SèHä?´{¡5°{%º¸Ó?«?84?óÑq?0?b0?
Ë 
ÚÁ???« tz´Î.30
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
980512000000Z
080512235959Z0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0?0
 *?H?÷



0?»ZD?»Uýz?-?Ox6¸
J²o?T¿¼èw*¹ðh»?Ù1ApzK¹HV-Çá?B«À¢?«D\ªBð?é/ûÂ;»¾É'
]¶°6B3µnT?O?J¿Úùè?¶ãÌÆ??j$?ãüàeº§±~ïÉÛ7jÈJÈ ä?

£°0­0U0

ÿ
0GU @0>0<`?H
?øE


0-0++

www.verisign.com/repository/RPA01U
*0(0& $ "? http://crl.verisign.com/pca1.crl0U
0 `?H
?øB


0
 *?H?÷


}?oEK8 ¸ÞéSd!¼äL+þ?@¬Ø
9j¡2!,?«YþÒb}U8°7sÜôfcb½áSpR?ç¨ØRé[-ªáÞϬ1TÔ?ÈØ#¨ï+2},È|?¨.wòDÑe
MtµîÓ?st.?;5rç@1?ӲīçV¾?ãû0?0?? 
4L!hh??tÎèÉ].¶(0
 *?H?÷


0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0
070111000000Z
080111235959Z0?
10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)9810UPersona Not Validated1402U+Digital ID Class 1 - Microsoft Full Service10UMiha Pihler1!0 *?H?÷


miha.pihler (at) snt (dot) si0 [email concealed]?0
 *?H?÷



0?ïÐÒÆ?ÁàäÚáLýÃÕî@6æI·<ÀýK&Þ?ébñ$«´???[?cs£K¦ÂKØÀeµ)£sÂjü

Í5XÝî "ã9ñèø°ß?C%³&à×?(èx4±Ô?#ÿ¥ìÃNÏõq??ï¤\®ª\¿z¹|Íiù

£µ0²0 U00DU =0;09`?H
?øE
0*0(+

https://www.verisign.com/rpa0U
 0U%0+
+
03U,0*0( & $?"http://crl.verisig
n.com/class1.crl0
 *?H?÷


8§1¡íÚVgðT'îø¦ÉÁÆbLd?¥?j¢v9çQRv§ù!À`F]Xã@-{Ä«Aøæ
5Ϥc8Vý¡ÚÒЫuÛ®þÆWîôÏ~Ü:®?ÝÒ^r?º?1üø{ôÿÇ??q¹?®į,j¹G0â?®^â«å?
1?0??

0á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated4L!hh??tÎèÉ].¶(0 + ?0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070417173115Z0# *?H?÷

1±?xÚ&ç0ãL(¡-×ÇÕFÖ¨ñ0· *?H?÷

1©0¦0 `?H
e
*0 `?H
e
0
*?H?÷
0 `?H
e
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0 `?H
e0 `?H
e0 `?H
e
0
*?H?÷
0ò +

?71ä0á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated4L!hh??tÎèÉ].¶(0ô*?H?÷

1ä á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated4L!hh??tÎèÉ].¶(0
 *?H?÷



?#U!zoå?ÝüöjbßD]jZõõt·û"pF>Øz%ÿnèúl(?¹J?þwFyõÖã­û?-<è\ð
ßYL¦P"?¨¹8U³Èk<MBJ¤Á¬ý>lÐ!¸EKó§LR³®Ë7p
´/??¨®h±°|kÀbÙ?mÉK?á

[ reply ]