Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Tom Yager Confirms: Windows Inherently Insecure

Oliver Wong wrote:
> "[H]omer" <spam@xxxxxxx> wrote in message news:ief1s3-d6o.ln1@xxxxxxxxxxxxx
>>
>> And how easy is it to get superuser (SYSTEM) privileges under Windows?
>>
>> start -> run -> "at hh:mm /interactive cmd.exe"
>> ] cd %WINDIR%"\..\System Volume Information"
>> etc.
>>
>> Note: no password required .. at all.
> 
>    Here's what I get when I try the latter:
> 
> <quote>
> C:\Documents and Settings\owong>cd %WINDIR%"\..\System Volume Information"
> Access is denied.

You need to type that in the cmd shell that opens from the above "at"
command, not one opened by a normal user (Administrator or otherwise).

I.e. follow the *whole* sequence.

You'll notice the window title is different too; normally it reads
"Command Prompt", but in this case it reads
"%WINDIR%\system32\svchost.exe", and the pwd is now %WINDIR%\system32,
rather than %HOMEDRIVE%%HOMEPATH%. I.e. if Windows had such a thing as a
"whoami" command, it would likely return "SYSTEM", which is the
so-called LSA (Local System Account).

I just remembered that you can also express the "System Volume
Information" line above as %SYSTEMDRIVE%"\System Volume Information",
but that's actually longer (by two chars).

The point is, you can easily achieve SU privileges on XP without even a
password.

-- 
K.
http://slated.org - Slated, Rated & Blogged
This message has not been photoshopped in any way.

Fedora Core release 5 (Bordeaux) on sky, running kernel 2.6.16-1.2133_FC5
 00:37:50 up 68 days, 54 min,  3 users,  load average: 0.00, 0.00, 0.00

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index