Difference between revisions of "User:Dgeerts/DontLookAtMe"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
=Able to run arbitrary executables on Windows Terminal server= | =Able to run arbitrary executables on Windows Terminal server= | ||
*<B>Type</B>: Local arbitrary code execution | *<B>Type</B>: Local arbitrary code execution | ||
| − | *<B>Status</B>: Not fixed | + | *<B>Status</B>: <FONT color=red>Not fixed</FONT> |
Microsoft Windows' bootloader by default checks the header of the executable it is given, to determine whether it is an EXE, BAT or COM file, and automatically runs it as the proper type. The current configuration on the Nikhef Windows Terminal Server blocks the loading of arbitrary EXE and COM files, but not arbitrary BAT files. Thus, by renaming the file extension from EXE to BAT, this security feature is circumvented, and the executable executed. | Microsoft Windows' bootloader by default checks the header of the executable it is given, to determine whether it is an EXE, BAT or COM file, and automatically runs it as the proper type. The current configuration on the Nikhef Windows Terminal Server blocks the loading of arbitrary EXE and COM files, but not arbitrary BAT files. Thus, by renaming the file extension from EXE to BAT, this security feature is circumvented, and the executable executed. | ||
| Line 7: | Line 7: | ||
=PHP scripts on webserver run under 'web' account= | =PHP scripts on webserver run under 'web' account= | ||
*<B>Type</B>: Local privilege escalation | *<B>Type</B>: Local privilege escalation | ||
| − | *<B>Status</B>: Fixed | + | *<B>Status</B>: <FONT color=blue>Fixed</FONT> |
Any PHP script run on the webserver (by, for example, dropping the scriptfile into the user's public_html directory) executes under the 'web' account. This allows users to escalate their privilege (if the 'web' account has more rights than the user's account). | Any PHP script run on the webserver (by, for example, dropping the scriptfile into the user's public_html directory) executes under the 'web' account. This allows users to escalate their privilege (if the 'web' account has more rights than the user's account). | ||
Revision as of 14:29, 4 July 2011
Able to run arbitrary executables on Windows Terminal server
- Type: Local arbitrary code execution
- Status: Not fixed
Microsoft Windows' bootloader by default checks the header of the executable it is given, to determine whether it is an EXE, BAT or COM file, and automatically runs it as the proper type. The current configuration on the Nikhef Windows Terminal Server blocks the loading of arbitrary EXE and COM files, but not arbitrary BAT files. Thus, by renaming the file extension from EXE to BAT, this security feature is circumvented, and the executable executed.
PHP scripts on webserver run under 'web' account
- Type: Local privilege escalation
- Status: Fixed
Any PHP script run on the webserver (by, for example, dropping the scriptfile into the user's public_html directory) executes under the 'web' account. This allows users to escalate their privilege (if the 'web' account has more rights than the user's account).