XP security hole so big a 5 year old could use it

[PinnacleProject]

I learned of this at another site and thought I would share it here. Turn down your volume if you play the animation at work. I imagine people are working overtime in Redmond right now to make a patch for this.

http://isc.sans.org/diary.php?compare=1&storyid=1542

XP local privilege escalation demonstrated (NEW)

Changes between the current version and version 1 are highlighted.

Published: 2006-08-03,

Last Updated: 2006-08-03 12:59:40 UTC by Arrigo Triulzi (Version: 2)

An excellent Flash animation showing the latest XP local privilege escalation has been published and it clearly demonstrates how trivial it is to "upgrade" from a user with administrative privileges to SYSTEM (the same but for unprivileged users is currently disputed, more at the CVE entry covering the issue and on the Bugtraq archives).

How does it work?

It is actually quite simple: normally a scheduler is used for running non-interactive programs unattended, for example anti-virus updates (in the "baddies" world it is used for scheduling netcat backdoors but this is hardly "normal usage").

In this example the user decides to schedule running "cmd.exe" (the Windows command line prompt) rather than a non-interactive program. When the scheduler triggers it starts cmd.exe which opens a new command-line window.

The problem is that the scheduler runs as the "SYSTEM" user which under Windows is an all-powerful user used for system tasks (the Windows equivalent of "root" under Unix) and, as this video demonstrate, it does not "drop privileges" (that is to say: "take on the privileges of the user requesting the scheduled job") before running the command.

When the command is finally run at the specified time it therefore hands you a command line prompt with SYSTEM privileges.

Is there a fix? Or indeed, why is this a problem? Well, the fix would be to stop the scheduler which breaks lots of other things (e.g. anti-virus updates) but which an adminstrator can easily restart... Now, is it really a problem since an administrator doesn't gain much? Well, it should not be the case that running a scheduled job lands you different privileges by default and, of course, should it turn out that administrative privileges are not needed then it becomes a far bigger issue as any user could gain SYSTEM privileges.

Important note: do not watch this at work with your loudspeakers turned on (bad language disclaimer...). Headphones strongly recommended.

[gigapixels Veteran]

:o WOW. That is absolutely incredible. I can't believe this hadn't been found until now.

[war]

They are full of it:

System error 5 has occurred.

Access is denied.

This is the error you get if the Scheduler service is disabled, because for the guest account and for a limited user, the Scheduler service is locked down (since your not an admin), so you try and start it and get the error above. And of course since the service is not running then you can not add an event to run the cmd processor.

If the Scheduler service is running and you try and add a new event as a limited user or guest you simply get:

Access is denied.

But of course it works with an admin account. But by that point it does not really matter much.

So yeah they are full of ****!!!!!!!!!!

Edited August 5, 2006 by war

[Nicholas-c Veteran]

wow, microsoft are goin to get some stick about this :p

[brand]

http://support.microsoft.com/kb/310208/EN-US/

And...?

[leovanham]

i discovered this a while back and you can even use explorer.exe rather than cmd.exe there fore it opens up the administrator desktop but you can't create user accounts and stuff under SYSTEM so there is no need to worry

[war]

Well, Windows Vista is even more secure:

F:\Users\Will>at 8:06 /interactive "cmd.exe"

Warning: Due to security enhancements, this task will run at the time

expected but not interactively.

Use schtasks.exe utility if interactive task is required ('schtasks /?'

for details).

Added a new job with job ID = 4

And schtasks is more secure than the Scheduler service...

[nickg78]

I tried it on my Windows XP SP2 machine:

at 15:38 /interactive "cmd.exe"

(2 minutes after my computer's clock)

It said that the job was added succesfully to the scheduled tasks, but it never ran (cmd.exe window didn't pop up). Maybe they have this fixed in SP2?

Edit: finally the task was ran but no interactively, the same that happens in Windows Vista (look war's post above). It appears that they have fixed it.

Edited August 6, 2006 by nickg78

[Nightkrawler]

1. its old.

2. It only works when the user has administrative privileges

3. It only shows that a user with administrative privileges can easily exploit the privileges to gain full access.

So remember, never give any user administrative privileges.

[supernova_00]

I tried it on my Windows XP SP2 machine:

at 15:38 /interactive "cmd.exe"

(2 minutes after my computer's clock)

It said that the job was added succesfully to the scheduled tasks, but it never ran (cmd.exe window didn't pop up). Maybe they have this fixed in SP2?

Edit: finally the task was ran but no interactively, the same that happens in Windows Vista (look war's post above). It appears that they have fixed it.

same here