Security policy new angle: a closer look at local permissions of the contention-vulnerability warning-the black bar safety net

ID MYHACK58:62200818968
Type myhack58
Reporter 佚名
Modified 2008-05-05T00:00:00


We know that the Administrators in order to ensure that the terminal computer security, will be the bulk of the terminal to be limiting, and some even only open 8 0 port, simple web browsing, which need for some special operation or installation of the software needs friends, because you do not have administrator permissions and be unable to complete a normal operation. This originally wanted to deploy the security strategy tactics, is able to get it? In fact, by some method, we can avoid this commonsecurity. A, system vulnerability The use of the system vulnerability is the most direct method! Microsoft in 2 0 0 7 in the second half of released a“Windows XP core driver secdrv.sys a local privilege elevation vulnerability”, the use of this local overflow vulnerability, we can obtain the local highest authority. The so-called Windows XP core driver secdrv.sys a local elevation of privilege vulnerability that allows arbitrary users to elevate to SYSTEM privileges. The vulnerability occurs in the driver“secdrv.sys”IRP_MJ_DEVICE_CONTROL routine, because of the lack of the necessary for the necessary parameters to be checked, cause you can write arbitrary bytes to arbitrary kernel memory, leading to D. o. S or elevation of privileges. The vulnerability of the use of the tool is“Windows Local Privilege Escalation Vulnerability Exploit”, we extract, at the command prompt window enter the folder, execute the overflow program file name, you can see the program overflow the format: localPrivilege.exe the. ! Where“”that is we want to execute the command or program name, through the overflow program execution the specified command or program, you can make a command or program in the overflow with administrator privileges to perform. We can be a program put to the“localPrivilege.exe”in the same folder, execute the following command: localPrivilege.exe notepad.exe the. Command execution after, you can see the overflow process: first, access to the overflow of the driving services, and create a new execution environment, the open gaps of the drive after the overflow, the overflow is successful, for a specified program or command to create a new administrator permissions to the process. Performed here is“notepad.exe”process because access to the administrator to process, so“notepad.exe”can the success of the implementation. You know, we have just the operations using the command-line window, if a certain terminal on the permissions settings are very strict, even running the cmd Command Prompt window, the permissions are not, then the How to do? We can open the Notepad program, in which the writing overflow command, and then save as. bat batch file. The batch file is placed in the overflow Tools folder, run the batch program can be carried out the overflow mention right now. Second, the mention of the right to upgrade Although each time you want to run or install any program, you can use the top of the overflow the tool to execute the program, but the implementation of more trouble, if we could have an administrator account, it is more convenient. But a new administrator is easier said than done, after all, is the cross-level operation, the new username will error, not to mention the added user to the Administrators group. Only continue to use the overflow tools to stay back door. ! In the command line window, execute the command: localPrivilege.exe cmd.exe, command execution, you can automatically and then open a Command Prompt window, the command prompt window with just a Command Prompt window is different, it has the highest SYSTEM privileges. In this window you can normally execute various commands, feel free to add a new user, promoted to Administrator.: the net user administrat0r 1 2 3 /add net localgroup administrators administrat0r /add ! Command execution, you can create a named“administrat0r”administrator account, whose password is“1 2 3”in. Later want unlimited run various programs and perform operations, you can logout the current restricted user, re-to“administrat0r”for username and“1 2 3”for the password, the login system can be successfully obtained administrator privileges. Third, the hidden back door In order to protect account security, we can use the clone method, the Guest account clone for administrator privileges. In the command line window, execute the command: localPrivilege.exe regedt32.exe the. Open with administrator privileges, the Registry Editor note that here the command is“regedt32.exe”instead“regedit.exe”it. Expand the registry item“HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest”, to view the right window in the“default”value corresponding to“1f5”, the value of which corresponds to the Guest account's SID number(e.g., Figure 7). In addition, view the registry value can be seen the administrator account SID number“1f4”in. Therefore, expand the“HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4”item, right-click on this item, in the pop-up menu, select the“Export”command, the import is“clone. reg”file. Then use Notepad to edit the registry file, which will be the“1f4”with“1f5”, modified after the completion of the Save File, and then double-click the registry file, import it into the registry. After the operation is complete, then execute the following command: localPrivilege.exe cmd.exe in the newly opened command window to perform: net user guest 1 2 3 net user guest active:yes The command execution is completed, you can modify the Guest password is 1 2 3, and enable the account. In this case the Guest while the display is in the guest user group, but in fact have administrator privileges. It should be said that the local security policy in some sense is not safe, the main is the end of the structure and the intuitive operation allows the user to take advantage of, Of course, if we give up Local Security, it will affect to the entire network, hope that through this article, can help you better control the permissions in the local security of the application.