On Wed, 28 Aug 2002 10:25:08 -0700, you wrote: >Anytime a developer has an application running as system which >is a rare need, they must realize the security ramifications of >what they are doing. (That, if a flaw is found in their software, >they will elevate the privileges of the user). Agreed. It's way past time for the paradigm shift in the Win32 world that took place a long time ago in the *nix world, that being that applications should *always* run with the lowest privileges they require. In this respect, Microsoft should be leading the pack instead of trailing it - the only MS services I've ever seen that don't install themselves as LocalSystem are the various Windows Media services. Maybe it's time Microsoft implemented setuid() on Win32? Even the Cygwin group have had trouble with it - according to http://www.cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID "Because of the nature of NT security an application which needs the ability has to be patched" Since it also requires three privileges that not even Administrators have by default, their solution seems a tad clumsy. >While you can exploit other applications >not running in a higher privilege space in this manner, this >gains you nothing which you can not do with just running an >binary as that user. I'd disagree with this. If you have a UI that is partly disabled waiting for some form of user validation (scroll to the bottom of the license agreement before you click OK, or type in a valid username and password before you can click that administration button) you can do a lot. Also, personal firewalls are going to have a hard time of it - I can circumvent all personal firewalls I've tested by injecting my code into a "trusted" application (IE in my case). The firewall never bats an eyelid, since IE is allowed to access the network. Some clever shellcode can then do whatever you'd like. Chris -- Chris Paget ivegotta@tombom.co.uk
