One of the first posts on this blog was about different (free) options you have to temporarily elevate your privileges under Windows. So it is natural that this blog post from George Ou sparked my interest. It talks about a product, BeyondTrust, using which you can temporarily elevate the privileges of certain applications and provides a centralized management interface to it through Active Directory.
Their website contains the usual propaganda, like
protection against zero day threats, but this is not why I’m mentioning them. I’m talking about them because I suspect that I found a loophole in their
bulletproof system. Remember, how I talked about the fact that under Windows the parent process owns every right to the child process, even in a limited account? We can use the same mechanism to expand our privileges beyond what was intended as shown in the following scenario:
- Process X has a given privilege we need.
- Process Y wants to gain those privileges. It launches a new instance of X, becoming the owner of the instance.
- The privilege is automatically granted to X by BeyondTrust
- Now Y, using its privileges, can insert arbitrary code in the instance of X
The probability of an automated tool figuring out such complicated chain of actions (or even figuring out which programs it needs to use to gain the needed privileges) is of course very low, however in the case of an insider threat this attack is still feasible. Of course there exists much simpler attacks, which can leave the system exposed even with a slight misconfiguration (for example, the fact that the open / save dialogs are complete file manager solutions, which can be used to move / overwrite files from inside a privileged application). The point I’m trying to make here is that there is no silver-bullet for security.
PS I couldn’t try this attack, because although they have a free version on their website, it kept insisting on having the computer in a domain, which I won’t set up for the sake of this program. Anyway, if somebody has already configured this program, please perform the following test and report back with the result:
- Pick an arbitrary executable (telnet.exe for example) and assign it some special privileges.
- Download the very nice user mode-debugger, OllyDbg and from a limited user account open telnet.exe for debugging.
- Use ProcessExplorer to verify that OllyDbg doesn’t have the special privilege, while telnet.exe does.