Starting with Windows XP, some services run as LOCAL SERVICE, some as
NETWORK SERVICE, and some continued to run as the all-powerful LocalSystem. Both
LOCAL SERVICE and NETWORK SERVICE have limited privileges on the system and
don??™t belong to any of the ???power groups.??? You can use Process Explorer or the debugger
to inspect the token of a NETWORK SERVICE or LOCAL SERVICE process. This privilege
reduction, in theory, limits the damage of a service compromised by attackers. Imagine
attackers exploiting a service buffer overrun for a remote command prompt but then not
being able to install their driver-based rootkit. In practice, however, there are ways to elevate
from LOCAL SERVICE to LocalSystem, just as there are ways to elevate from Power
User to Administrator. Windows service configuration is one of those ways. We can see
in our preceding list that MSDTC and the SCardSvr services have granted SERVICE_
CHANGE_CONFIG to NETWORK SERVICE and LOCAL SERVICE respectively. To
exploit these, you??™d first need to become one of those service accounts through a buffer
overrun or some other vulnerability in a service running in that security context.
TIP At least one more instance of this condition still exists today in fully
patched Windows XP.
Pages:
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747