It rather involved being on the other side of this airtight hatchway: Elevation from Administrator to SYSTEM


A security vulnerability report arrived that took the following form:

I have discovered a critical security vulnerability in Windows which I intend to present at the XYZ conference. It allows any user with administrator privileges to perform operation Q, something that should be available only to SYSTEM.

I think you know how this story ends. If you have administrator privileges, then you are already on the other side of the airtight hatchway. That you can use administrator privileges to pwn the machine is not interesting, because by virtue of being an administrator you already pwn the machine.

There is formally a distinction between Administrator and SYSTEM, seeing as they are some things which are ACL'd so that SYSTEM can do them and not arbitrary adminitrators, but that distinction is formal and not practical. An administrator who wanted to get some code running as SYSTEM could install a service that runs as SYSTEM. Or use Debug Privilege to take over a process (say, a service) running as SYSTEM. Or simply open a command prompt as SYSTEM and go to town. No need to go through the complex operation Q to get SYSTEM access.

So yes, a user with administrator privileges can use operation Q to do things that are normally limited to SYSTEM. But so what? Users with administrator privileges already have plenty of easier ways of doing things that are normally limited to SYSTEM. The distinction between the SYSTEM and Administrator accounts is a roadblock to make it harder to mess up your system by mistake. You can still mess up your system, but you have to try harder.

Before dismissing these reports, you have to verify that the attack is effective only against the current machine. In other words, that obtaining administrator privileges on the computer gets you nothing more than administrator privileges on the computer. And in this case, that was true. The attack described gives the user access to the local machine, but had no effect on other machines.

Comments (27)
  1. Joshua says:

    I've got one that does so frin a limited administrator token w/o triggering UAC. Once again, current machine.

  2. Rob says:

    @MNGoldenEagle

    Move your right hand one position to the left on the keyboard…

  3. DWalker says:

    An administrator can format the C drive, for example…..

  4. yurikus says:

    Adi Oltean's trick, using an interactive service to spawn a cmd window, doesn't work on Win 8.1. Interactive mode has been deprecated. Is there a new method?

  5. Anon says:

    A limited Admin token is functionally the same as an Admin token. You're still an Admin.

  6. Anon says:

    You don't need a 'trick.'

    psexec -s cmd /c whoami

  7. Billy O'Neal says:

    > Or use Debug Privilege to take over a process (say, a service) running as SYSTEM.

    Not since Windows 8.1.

  8. Joshua says:

    Ugh phone typing. "so from"

  9. Medinoc says:

    But according to restricted tokens and deny-only SIDs, you're not longer supposed to be, unless something is forbidden to admins, then you still are.

    Otherwise, it means UAC actually is crap like the detractors said, and power users who can afford two accounts should still run as a fully limited user like they did in Windows XP.

  10. 640k says:

    > DWalker: An administrator can format the C drive, for example…..

    Windows doesn't allow anyone to format the system partition.

  11. @640k: An administrator can format the system partition if they REALLY want to, but the built-in tools won't support it.  Windows itself won't stop you from, say, using a raw disk editing tool to overwrite swaths of the system partition with 0's.

  12. Darran Rowe says:

    @Joshua:

    But does that work from a limited administrator token without triggering UAC when the UAC settings are set to always notify? That is when it is a true security vulnerability.

    Remember, that the default UAC setting is in response to people complaining that UAC was still too chatty during Windows Vista's lifetime. So Microsoft allowed some programs to elevate without prompting. It was these programs that were generally the cause. I think the COM elevation moniker was also one potential path too. It has been too long since I looked into it myself that I have forgotten a lot.

    The UAC settings make this really clear. The default settings for UAC are recommended if you use mostly familiar programs and visit familiar websites. If you set it to always notify, then it suddenly starts notifying for these white listed applications. This is also recommended if you install unfamiliar applications or visit unfamiliar websites.

    So while the default UAC setting reduces noise in some situations, a malicious developer could use that to their advantage. For the airtight hatchway, this is similar to leaving a remote opening device outside, hidden in a place that only people inside know where to find it. It doesn't stop people who are allowed onto the other side from misusing it, and it doesn't stop people who aren't supposed to be on the other side from stumbling across it.

  13. Kate says:

    I hope they presented their "vulnerability" at the conference and got laughed at.

    [I watched a little bit of the conference video and heard no laughter. But it was a long video, and I didn't watch it all, so I could have missed it. -Raymond]
  14. Joshua says:

    @Darran Rowe: yes it does.

    For those who care about my attitude about UAC, as a developer I only want two easy fixes: whatever permissions on the Users group should not require elevation to use (I'm looking at SeCreateSymbolicLink) and a LOGON_USER_INTERACTIVE_ELEVATED (for services that serve login sessions. I know otherwise how to deal with it with no penalty to users whenever I can avoid architecturally stupid product requirements (e.g. Office automation) when handling sensitive data.

    As a USER it bugs the heck outta me for things I can't even figure out what fix would be appropriate (darn that command typed into cmd.exe needed elevation). I've taken to making the main cmd.exe shortcut "run with highest privileges".

  15. Harry Johnston says:

    @Medinoc: the point of UAC, as I see it, is that you *can* now run two separate accounts, because developers have (mostly) been forced to actually make their programs work without admin privilege.

    It's annoying as heck, but it did the job.  I look after computer labs at a University, and before Vista came along, I often had to mess about to get software to work for the students.  Nowadays, well, it still happens now and then, but only very rarely.

  16. Darran Rowe says:

    @Joshua:

    Well, the whole thing that it creates a restricted token by removing a set list of privileges rather than checking what you have set on the users group is daft. It is like they didn't take into account that limited users could have the privileges changed. That has always irked me too.

  17. Laserdrome says:

    Dear Mr Chen,

    I am afraid I know of no other way of contacting you and hence apologize for the offtopic posting. I have just acquired an old AlphaServer DS20 and I am playing around with the old Windows 2000 pre-release versions that exist for Alpha. Now I have stumbled across your posting (technet.microsoft.com/…/2008.08.windowsconfidential.aspx) which suggests there might be a Windows Server 2003-Version for Alpha as well. Is there any way of obtaining that version – even if it means to pay for it? I would be very grateful if you (or anyone else knowing something about this) could answer here or drop me a short line: laserdrome@gmail.com

    Kind regards

  18. DWalker says:

    @640K:  I didn't say the C drive was the system partition!  Seriously, you can delete random files from within %windir%; you might have to take ownership, but an admin can do that.  

  19. alegr1 says:

    There was one time when I accidentally started the Task Manager as SYSTEM. It was Windows 7, probably pre-SP1. I could not reproduce it anymore after SP1. It might have been that Ctrl+Shift+Esc got handled through a top level window of a process which ran as SYSTEM.

  20. kog999 says:

    > DWalker: An administrator can format the C drive, for example…..

    >Windows doesn't allow anyone to format the system partition.

    who says the C: has to be the system partition perhaps the user installed windows on D: and kept all there super important documents on C: with no backup.

  21. ZLB says:

    @yurikus

    You can write an app that if running as Admin, that can launch apps as SYSTEM.

    From memory: Run app as admin, elevated if UAC is eneabled -> Open a process running as SYSTEM and duplicate its token -> Use SetTokenInformation() to set the token session id -> Launch another process with using CreateProcessWithToken().

    I've not tried this, but I guess you could use this to launch Windbg as SYSTEM to debug services which only misbehave as SYSTEM.

  22. Myria says:

    For some reason, Microsoft also considers elevation from LocalSystem to kernel to be some kind of vulnerability, or they wouldn't make things like Device Guard or requiring an EV certificate and submission to Microsoft in order to load kernel drivers.

  23. Erkin Alp Güney says:

    @Raymond: to pwn? Is it "own" in an aggluginated form?

    [See pwn. -Raymond]
  24. Joshua says:

    @Myria: No, that's just malware resistance. You can bypass the EV certificate requirement easily, but it's noisy. Device Guard is also easily defeated, but only if the hardware is in front of you.

  25. 640k says:

    Whenever a security vulnerability is found in any of the safety nets or so called security boundaries in windows, the answer is always that it was not intended to protect they user. We're told it's a feature, not a bug. But next version of windows usually try to fix it.

    [Just because X is not a substitute for Y doesn't mean you can't try to make X help Y a little better. (You're under no obligation to, but you can do it because it makes X more valuable.) -Raymond]

Comments are closed.

Skip to main content