Login using "Nt Authority/System" user on xp

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • staticblac
    Member
    • May 2003
    • 90
    #1

    Login using "Nt Authority/System" user on xp

    Ok this is a nifty trick I picked up and took a little further.

    In your windows directory there is a file called logon.scr in system32

    Copy this file to a different location so you have it to reload later

    then delete the logon.scr in system32 and make a copy of cmd.exe and rename
    it to logon.scr and place it in the system32 folder

    log-off you account and wait until the timer kicks in and a ms-dos prompt will launch under the user "Nt Authority/System"

    Type the command "control" and explorer will launch and it will bring up the control panel and from there you can do whatever.

    My question to you all is this, does this pose an immediate security risk? Granted this is a way if you can read the Hard Drive in some way you can bypass logon completly, but I was screwing with it and I found that there was no real security problems. ( I.E. No access to add users, change passwords, change system settings { other than regedit works } ) Is this just an intresting trick or are there other things that can be done?
    5
    Yes, It is a security hole.
    20.00%
    1
    NO, There are no real problems with this
    40.00%
    2
    It is fun to play with
    40.00%
    2

    The poll is expired.

    Tags: None
    • skroo
      Volatile Compound
      • Dec 2001
      • 2348
      #2
      Originally posted by staticblackz
      My question to you all is this, does this pose an immediate security risk?
      Well... You can replace logon.scr with pretty much whatever you want; it doesn't have to be cmd.exe. I'd assume that whatever you do replace it with, though, will run as the user you were logged on as when the screensaver timed out and launched it.

      Granted this is a way if you can read the Hard Drive in some way you can bypass logon completly, but I was screwing with it and I found that there was no real security problems. ( I.E. No access to add users, change passwords, change system settings { other than regedit works } ) Is this just an intresting trick or are there other things that can be done?
      Depends on the privileges you have at the time the command shell is launched, I'd say. Try it as administrator and see what happens. As for it being a security hole, it's one of those things that could be, but is more intended operation given the change you've just made.

        Comment

        • staticblac
          Member
          • May 2003
          • 90
          #3
          Anything that you replace with logon.scr is executed at the logon screen using the system user, so what you can do is based off of the premissions the "Nt Authority/System" user has. SO is there a way to change or alter the user premissions on the fly somehow to allow more advanced functionality

            Comment

            • TheCotMan
              *****Retired *****
              • May 2004
              • 8857
              #4
              Originally posted by staticblackz
              Ok this is a nifty trick I picked up and took a little further....
              This is nothing new.

              My question to you all is this, does this pose an immediate security risk?
              Microsoft appears to not think it is a risk if it is still a problem with 2000/XP/2003, but that does not really mean anything; MS also has many outstanding security issues in MSIE which they do not consider immediate security risks.

              Is this just an intresting trick or are there other things that can be done?
              Use of Policies or the modern replacement of them in a domain combined with limitations on filesystem access permits enforcing limits to end users.

              In order to employ this "exploit", you need to be able specify a different screensaver and you must be logged-in. Through various restrictions you can make it more difficult for the user to select an arbitrary screensaver. (Consider this: why should a user be able to modify system32 contents.)

              If you are logged into a GUI like this, odds are in favor of you having physical access. Physical access to the hardware means a much higher risk for total ownership.

                Comment

                • highwizard
                  #5
                  Originally posted by TheCotMan

                  If you are logged into a GUI like this, odds are in favor of you having physical access. Physical access to the hardware means a much higher risk for total ownership.

                  So if I have physical access to TheCotMan I have a great chance of 0wning him?

                    Comment

                    Previous template Next
                    Working...