This combination of uninformed software
developers and lack of public security research means lots of vulnerabilities are waiting
to be found in this area.
Vulnerabilities You Find Are Easy to Exploit
The upnphost example mentioned was actually a vulnerability fixed by Microsoft in
2006. The access control governing the Universal Plug and Play (UPnP) service on Windows
XP allowed any user to control which binary was launched when this service was
started. It also allowed any user to stop and start the service. Oh, and Windows includes
a built-in utility (sc.exe) to change what binary is launched when a service starts and
which account to use when starting that binary. So exploiting this vulnerability on Windows
XP SP1 as an unprivileged user was literally as simple as:
> sc config upnphost binPath= c:\attack.exe obj= ".\LocalSystem" password= ""
> sc stop upnphost
> sc start upnphost
Bingo! The built-in service that is designed to do Plug and Play stuff was just subverted
to instead run your attack.exe tool. Also, it ran in the security context of the most
powerful account on the system, LocalSystem. No fancy shellcode, no trace if you
change it back, no need to even use a compiler if you already have an attack.
Pages:
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701