[cvsnt] Re: cygwin ssh server and author being set to SYSTEM

pvgoran pvgoran.ml at macondo.ru
Thu Jan 8 10:36:44 GMT 2004


Hello Tony,
Thursday, January 8, 2004, 4:11:07 PM, you wrote:

TH> Pavel Goran wrote:
>> There  must  be a possibility for some kind of communication between a
>> process and the module (for example, a process can create a named pipe
>> and  pass  its  name  to  the  package  as  a password). Provided that
>> communication  is  possible,  the package can create a named pipe (and
>> thus  become the "named pipe server"), instruct the process to open it
>> (which thus becomes the "named pipe client"), impersonate the process'
>> user   by   calling  ImpersonateNamedPipeClient(),  and  actually  try
>> NtCreateToken() (and maybe other calls).
>> 
TH> There are many pipes that are opened by the system user... (LSASS is one 
TH> I think) it'd be trivial to pass one of those.
It's  not  clear  for me... "Trivial to pass one" for whom? For a malicious
user  who  wants  to  "steal" priveleges, for a process (say, a SSH server)
that  wants  to  "legally" impersonate a user, or for a (sub)authentication
module?

(It  would  be  probably better to move this discussion away from the CVSNT
mailing list - if you don't mind continuing it.)

TH> I'm not really prepared to take the risk. Luckily it's not a cvsnt 
TH> problem - even if I implemented something only cygwin can make the 
TH> decision whether to use it.
I don't mean it is to be implemented right now, this is rather just a proof
of concept.

Pavel Goran




More information about the cvsnt mailing list