[cvsnt] Re: cygwin ssh server and author being set to SYSTEM
pvgoran
pvgoran.ml at macondo.ru
Thu Jan 8 10:36:44 GMT 2004
Hello Tony,
Thursday, January 8, 2004, 4:11:07 PM, you wrote:
TH> Pavel Goran wrote:
>> There must be a possibility for some kind of communication between a
>> process and the module (for example, a process can create a named pipe
>> and pass its name to the package as a password). Provided that
>> communication is possible, the package can create a named pipe (and
>> thus become the "named pipe server"), instruct the process to open it
>> (which thus becomes the "named pipe client"), impersonate the process'
>> user by calling ImpersonateNamedPipeClient(), and actually try
>> NtCreateToken() (and maybe other calls).
>>
TH> There are many pipes that are opened by the system user... (LSASS is one
TH> I think) it'd be trivial to pass one of those.
It's not clear for me... "Trivial to pass one" for whom? For a malicious
user who wants to "steal" priveleges, for a process (say, a SSH server)
that wants to "legally" impersonate a user, or for a (sub)authentication
module?
(It would be probably better to move this discussion away from the CVSNT
mailing list - if you don't mind continuing it.)
TH> I'm not really prepared to take the risk. Luckily it's not a cvsnt
TH> problem - even if I implemented something only cygwin can make the
TH> decision whether to use it.
I don't mean it is to be implemented right now, this is rather just a proof
of concept.
Pavel Goran
More information about the cvsnt
mailing list