However,
this feature appears to be more reliable than .local files, so we??™ll demonstrate how to use
it in the attack section.
Replace the legitimate .exe with an attack .exe of your own. If attackers
have FILE_DELETE_CHILD privilege on a directory containing an .exe, they could
just move the .exe aside and replace it with one of their own. This is easier than the preceding
if you??™re granted the appropriate access right.
If the directory is ???magic,??? simply add an .exe. There are two types of
???magic directories,??? auto-start points and %path% entries. If attackers find FILE_ADD_
FILE permission granted to a Startup folder or similar auto-start point, they can simply
copy their attack .exe into the directory and wait for a machine reboot. Their attack .exe
will automatically be run at a higher privilege level. If attackers find FILE_ADD_FILE
permission granted on a directory included in the %path% environment variable, they
can add their .exe to the directory and give it the same filename as an .exe that appears
later in the path. When an administrator attempts to launch that executable, the attackers??™
executable will be run instead. You??™ll see an example of this in the directory DACL
attack section.
Pages:
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763