Discussion:
[Windows XP] possible privilege escalation
(too old to reply)
Pif Gadget
2005-05-30 21:00:31 UTC
Permalink
Hello,

I've encountered twice a strange problem on my Windows XP SP2 (fully
patched) box.

I have 2 separate accounts on my personal system : Administrator (for
administrative tasks only) and simple user (for common everyday
tasks), for security and system integrity reasons.

Today, being logged in the simple user account and having Windows
Media Player launched, I executed an installation executable file
(from Microsoft) as Administrator using "Execute as..." entry in the
contextual menu. The application was successfuly installed. Later, I
tried to close Windows Media Player, the window was closed but the
music was still playing. I looked in the Task Manager in order to
force quit WMP, but to my surprise the task (wmplayer.exe) did not
belong to me ("simple user"), but to Administrator (It's worth
mentioning that the Administrator account was not open at that moment
- as it is possible with User Fast Switching, so no other instance of
WMP was running.)

This happened to me once before, with the same conditions (including
running an installation app using "Execute as..."), but I couldn't
reproduce the issue "manually".


Best regards,


--
Pif

_________________________________________________________________
Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
http://search.msn.fr/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
NSC
2005-05-30 21:31:18 UTC
Permalink
Post by Pif Gadget
Hello,
I've encountered twice a strange problem on my Windows XP SP2 (fully
patched) box.
I have 2 separate accounts on my personal system : Administrator (for
administrative tasks only) and simple user (for common everyday
tasks), for security and system integrity reasons.
Today, being logged in the simple user account and having Windows
Media Player launched, I executed an installation executable file
(from Microsoft) as Administrator using "Execute as..." entry in the
contextual menu. The application was successfuly installed. Later, I
tried to close Windows Media Player, the window was closed but the
music was still playing. I looked in the Task Manager in order to
force quit WMP, but to my surprise the task (wmplayer.exe) did not
belong to me ("simple user"), but to Administrator (It's worth
mentioning that the Administrator account was not open at that moment
- as it is possible with User Fast Switching, so no other instance of
WMP was running.)
This happened to me once before, with the same conditions (including
running an installation app using "Execute as..."), but I couldn't
reproduce the issue "manually".
Best regards,
--
Pif
_________________________________________________________________
Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
http://search.msn.fr/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hello,

are you sure you didn't launch wmplayer form the setup process (something
like: start wmplayer when setup is complete).

In this case it, wmplayer starts with the rights from setup.exe, which
in your case is the
admin account.

Have anice day.

Spencer



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Pif Gadget
2005-05-31 01:22:48 UTC
Permalink
Post by Pif Gadget
Hello,
Hello,
Post by Pif Gadget
are you sure you didn't launch wmplayer form the setup process (something
like: start wmplayer when setup is complete).
Hmm, the setup program (.exe which runs an .msi) installs a classic
"annoying" developpement app (the other day it was some Microsoft Office
suite product). I doubt it would launch WMP for any reason, if it's what you
meant.
To get rid of the doubt, I just retried the installation process being
logged in as Admin, and nope, it didn't launch WMP.


Best regards,


--
Pif

_________________________________________________________________
Vidéoconférence plein écran avec MSN Messenger http://g.msn.fr/FR1001/866

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
NSC
2005-05-31 07:22:56 UTC
Permalink
Post by Pif Gadget
Hmm, the setup program (.exe which runs an .msi) installs a classic
"annoying" developpement app (the other day it was some Microsoft
Office suite product). I doubt it would launch WMP for any reason, if
it's what you meant.
To get rid of the doubt, I just retried the installation process being
logged in as Admin, and nope, it didn't launch WMP.
Best regards,
--
Pif
Hello,

I'm not sure we're talking about the same thing.
I don't meant setupe.exe but MPsetupeXP.exe.

At the end of many installations you have one ot two chechboxes (like
"view readme.txt" and
launch app now").

when you start the app from here, is starts under the "runas"(admin)
account.

As you retried it's probaly something else.

Have a nice day.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Patrick Otto
2005-05-31 07:45:34 UTC
Permalink
Post by Pif Gadget
Post by Pif Gadget
Hmm, the setup program (.exe which runs an .msi) installs a classic
"annoying" developpement app (the other day it was some Microsoft
Office suite product). I doubt it would launch WMP for any reason, if
it's what you meant.
To get rid of the doubt, I just retried the installation process being
logged in as Admin, and nope, it didn't launch WMP.
Best regards,
--
Pif
Hello,
I'm not sure we're talking about the same thing.
I don't meant setupe.exe but MPsetupeXP.exe.
At the end of many installations you have one ot two chechboxes (like
"view readme.txt" and
launch app now").
when you start the app from here, is starts under the "runas"(admin)
account.
As you retried it's probaly something else.
Have a nice day.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hi, i think he didnt install WMP.
I cant tell you more about the topic, i'm not using Windows.

Have a nice day.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
bkfsec
2005-05-31 21:22:02 UTC
Permalink
Post by Pif Gadget
Post by NSC
are you sure you didn't launch wmplayer form the setup process (something
like: start wmplayer when setup is complete).
Hmm, the setup program (.exe which runs an .msi) installs a classic
"annoying" developpement app (the other day it was some Microsoft
Office suite product). I doubt it would launch WMP for any reason, if
it's what you meant.
To get rid of the doubt, I just retried the installation process being
logged in as Admin, and nope, it didn't launch WMP.
Just guessing here, but is it possible that the setup program could have
tried to take ownership of the running process in order to ensure that
an installation started in this way would complete successfully?

I'm not sure precisely how this could be done or that it would have been
done in this package, but it makes the most sense out of any scenario
that I can think of.

In either case, I'm not sure that it's a privelege escalation per-se for
the reason that it required you having the administrator account in the
first place to be able to escalate the process' priveleges. Where that
could be dangerous is if an administrator got tricked into running an
executable that escalated the priveleges of a malicious program, but
once you get them to run that type of code you've got other options
available to you that will probably be easier to utilize. Not that I
can't see this being used in nasty ways or anything...

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
KF (lists)
2005-06-08 08:00:54 UTC
Permalink
Would this possibly have anything to do with MSIEXEC.exe (that is off
the top of my head) running as system? I have occasionally seen this
process chilling out running as SYSTEM.
-KF
Post by Pif Gadget
Post by Pif Gadget
Hello,
I've encountered twice a strange problem on my Windows XP SP2 (fully
patched) box.
I have 2 separate accounts on my personal system : Administrator (for
administrative tasks only) and simple user (for common everyday
tasks), for security and system integrity reasons.
Today, being logged in the simple user account and having Windows
Media Player launched, I executed an installation executable file
(from Microsoft) as Administrator using "Execute as..." entry in the
contextual menu. The application was successfuly installed. Later, I
tried to close Windows Media Player, the window was closed but the
music was still playing. I looked in the Task Manager in order to
force quit WMP, but to my surprise the task (wmplayer.exe) did not
belong to me ("simple user"), but to Administrator (It's worth
mentioning that the Administrator account was not open at that moment
- as it is possible with User Fast Switching, so no other instance of
WMP was running.)
This happened to me once before, with the same conditions (including
running an installation app using "Execute as..."), but I couldn't
reproduce the issue "manually".
Best regards,
--
Pif
_________________________________________________________________
Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
http://search.msn.fr/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hello,
are you sure you didn't launch wmplayer form the setup process (something
like: start wmplayer when setup is complete).
In this case it, wmplayer starts with the rights from setup.exe, which
in your case is the
admin account.
Have anice day.
Spencer
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...