SecurityFocus

Help with Exploit Feb 02 2007 07:25PM
Vic Brown (vabrown mailer fsu edu) (3 replies)

RE: Help with Exploit Feb 05 2007 04:30AM
Murda Mcloud (murdamcloud bigpond com)

RE: Help with Exploit Feb 04 2007 10:52PM
Murda Mcloud (murdamcloud bigpond com) (1 replies)

Re: Help with Exploit Apr 17 2007 10:11AM
Nicolas RUFF (nicolas ruff gmail com) (1 replies)

Re: Help with Exploit Apr 17 2007 01:39PM
Harlan Carvey (keydet89 yahoo com) (2 replies)

Re: Help with Exploit Apr 17 2007 09:47PM
Nicolas RUFF (nicolas ruff gmail com)

RE: Help with Exploit Apr 17 2007 03:29PM
James D. Stallard (james leafgrove com) (2 replies)

RE: Help with Exploit Apr 17 2007 10:46PM
Murda Mcloud (murdamcloud bigpond com)

I know that James 'trick' works (very nice) and will have to try Harlan's
suggestion too.
Now is the AT trick using the same method that Nicholas was pointing out
with regards to the native API and the win32 API being slightly different?

-----Original Message-----
From: James D. Stallard [mailto:james (at) leafgrove (dot) com [email concealed]]
Sent: Wednesday, April 18, 2007 1:30 AM
To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Help with Exploit

> > I've done some googling and am finding that the
> new RR version checks the
> > security hive(which I believe to be 'invisible' to
> regedit-can someone
> > correct me if I'm wrong?).

On a live system, the Security hive is not accessible by default. You need
to change the ACLs so that the Admin has the ability to read the hive.

> I know I am coming late on this one, but registry keys that contain
> NULL characters cannot be accessed through REGEDIT. You have to rely
> on the low-level NTDLL API to access them. It is known "copy
> protection" trick :)

What?

------------------------------------------
Harlan Carvey, CISSP
author: "Windows Forensic Analysis"
http://windowsir.blogspot.com
------------------------------------------

[ reply ]

RE: Help with Exploit Apr 17 2007 05:31PM
Miha Pihler (Miha Pihler snt si)

Re: Help with Exploit Feb 02 2007 09:18PM
Josh Miller (joshua itsecureadmin com)