 |
 |
|
July 29, 2003Huge Hole in Windows Credential ManagementWell I am not sure when this will hit the wires, but there is a pretty large gaping hole in how Windows now handles stored credentials in the runas command. Doesn't seem to be a huge thing, until you consider that once used it allows that user to run as the credential... possibly meaning a normal user can run any command as administrator if the administrator runs runas even once... with stored credentials. The idea behind the "runas" command is great. It allows for a user to run in a least privilege environment and still gain access to vital system commands. IN unix, we typically call that "su". In Windows, runas has an even nicer feature. If you use the /savecred switch, it will save the credentials for later use. So if you entered: runas /savecred /user:administrator regedit You would be prompted for a password once, and then regedit would start up. Works great. Next time you run that same command, you wouldn't be prompted for the password. Now the hole.... Once /savecred is used, you can pass runas ANY command.... and it will run as that credential if you continue to use the /savecred option. And thats bad. Why? Well imagine if I did this: runas /savecred /user:administrator "C:\Program Files\Internet Explorer\iexplore.exe" c: Guess what happens? I now have direct adminstrator rights to all files on the system. I can now go to town and do whatever the hell I want. Now, I have bitched about runas before. But I still like it. That is evident in an old Code Project article I wrote on the subject of "Secure Coding Practices: Running with Least Privileges in Windows". Even so... this is such a glaring hole this isn't funny. And it seems this is generally accepted as ok at Microsoft, since I found others report this months ago in the windowsxp lists, with no response from Microsoft. *sigh* If I knew how to hook into the shell properly I would go write a new version of runas for them. Could fix some things I hate about it. But alas, this is one of those HIDDEN features of the platform. *grrr* Anyways coming back from that tangent, there is no easy way to REMOVE the credentials. But I did find an interesting post that covers off how to remove it manually through the registry. Moral of the story... DON'T USE THE "/savecred" SWITCH FOR THE RUNAS CMD Posted by SilverStr at July 29, 2003 08:35 PM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
