[Dshield] WMF - SETABORTPROC alarms

Brian Dessent brian at dessent.net
Tue Jan 3 10:22:17 GMT 2006


bschnzl at cotse.net wrote:

>  Arbitrary boils down to root (or SYSTEM in this case, as if I need to tell this list).

Uh, what?  No.  "Arbitrary code" means that the attacker has full
control over the nature of the code that's run.  It says nothing about
whether privileges can be escalated, which may or may not be the case. 
It's a completely separate variable, and often exploits are chained to
combine a buffer overflow (arbitrary code excution) with a local
privilege escalation.

Anyway, in this case the WMF vuln has no such privilege escalation
element whatsoever.  All you get is the current security context of the
current user, no more, no less.  Of course, it's very much the case that
the local user is often the administrator, so on windows this
distinction is not really always relevant but it still exists.

And by the way, Administrator access is very different than SYSTEM, they
are not the same in any stretch.  The former is a regular user account
and still has restrictions on what it can do -- for example, you cannot
kill processess of services, even as an administrator.  But the
administrator does have the necessary privileges to install new services
or drivers, and this can be leveraged to actually perform those tasks. 
This is why you can't kill services using TaskMgr but you can using
Process Explorer -- the latter includes a driver as a resource inside
the .exe which is actually installed in realtime when you run the
program to act as a proxy for the actions whih can only be performed as
the SYSTEM user and not a regular user/administrator.  You will find in
fact that most of the sysinterals tools do this (clandestinely install
drivers) because a number of the things that it does require kernel mode
or SYSTEM-user privilege.

Brian


More information about the list mailing list