Command prompt bypasses Windows XP security



  •  I work for a very large company that recently bought several thousand new computers.  All identical, all locked down (no administrator rights for you!!).  Supposedly, this a Good Thing® because administartor rights are evil and can only lead to misery.

    So we have some of these computers in our "training room" and many different people log-on to these machines.  I need to create some shortcuts that will show up on everyone's desktop.  But that's not possible because the "All Users" directory is off limits without administrator rights.  And I need to add some entries to the "hosts" file.  Again, off limits.   This means sending a request to the I.T. department and wating at least 3-4 weeks for someone to go down to the training room and perform this 3 minute task.

    Then, entirely by accident, I discover:

    1.  Put the shortcuts and hosts file on a USB memory stick and plug it in to the target computer

    2.  Run CMD.EXE to open up a command prompt window

    3.  Move/Copy/Delete files at will to/from any directory on the computer.

     WTF!!   I am now an 3L33T HaXXor!!!

     




  • Sounds like the NTFS permissions are not set properly for some reason.  Limited users should not be able to modify files in \windows\ or subdirs  (e.g. hosts) or the "all users" directory.

    http://support.microsoft.com/kb/244600

    There is actually a procedure for restoring the default permissions (or setting them if you converted to NTFS from FAT32, for example):

    http://support.microsoft.com/kb/237399

     



  • I swear, the quality of WTFs is seriously degrading of late.



  • @Kyanar said:

    I swear, the quality of WTFs is seriously degrading of late.

    I dunno. It is kinda funny that the admins would go to all the trouble of applying lots of restrictions on what is either a FAT32 drive or an NTFS one with Everyone:F assigned at the root.



  • Yes, but it's a pretty big WTF that someone would consider themselves an elite hacker because their sysadmin was dumb enough to screw up permissions.



  • @Kyanar said:

    Yes, but it's a pretty big WTF that someone would consider themselves an elite hacker because their sysadmin was dumb enough to screw up permissions.

    Did you have your irony detector checked lately? 



  • @Kyanar said:

    I swear, the quality of WTFs is seriously degrading of late.
    You must be the guy who writes Mandatory Fun Day.

     

     



  • @CodeSimian said:

    Sounds like the NTFS permissions are not set properly for some reason.  Limited users should not be able to modify files in \windows\ or subdirs  (e.g. hosts) or the "all users" directory.
    Something else occured to me.  In Vista, the "run" dialog box says whatever you type will be executed with administrator rights.  Although XP doesn't actually say it, I wonder if that's what's happening.   A quick Google didn;'t turn up anything, but it would explain this odd behavior.



  • @El_Heffe said:

    Something else occured to me.  In Vista, the "run" dialog box says whatever you type will be executed with administrator rights. 
     

    IIRC, I think it should only do that if you are already an administrator-level user and UAC is disabled.  Even in Vista, if you are a non-admin and you want run a process as admin, Vista will ask you to type in a password.  Of course, if you already an administrator, Vista won't ask you to type your password again. 

    @El_Heffe said:

    Although XP doesn't actually say it, I wonder if that's what's happening. 

    Probably not.  Even when you use the (arguably crippled) "Run as..." in XP (e.g. to run a process as an administrator),  you still have to type in the appropriate username and password.  There are 3rd party methods to run something as a different user without user intervention (e.g. from a batch file), but nothing built-in, AFAIK.

    I haven't played with Group Policy too much, but it is possible that access to the All Users folder was limited using group policy and not NTFS permissions?  As Raymond Chen pointed out, "shell policy is not the same as security". 

    http://blogs.msdn.com/oldnewthing/archive/2008/01/31/7337160.aspx 

     



  • It sounds like someone is using group policy to "lock down" the system, and not NTFS permissions.  And it looks like they forgot to disable the Run command (or cmd.exe).  Heck, you can probably get into the registry and unset the GPO that disables everything else :)

    I've had to write similar locked down accounts and it's amazing how easy it is to get the a command prompt.  Good old IE == Windows Explorer stupidity.



  • @skippy said:

    Good old IE == Windows Explorer stupidity.
     

    WTF?



  • @MasterPlanSoftware said:

    @skippy said:

    Good old IE == Windows Explorer stupidity.
     

    WTF?

     

    I'm referring to IE being so tied into the windows system that the only difference between IE and Explorer is the little icon.  Really makes it hard to sandbox the browser.

    Go into IE and type "c:\windows\system32\cmd.exe"  or "file:///c:/windows/system32/cmd.exe".



  •  

    @skippy said:

    I'm referring to IE being so tied into the windows system that the only difference between IE and Explorer is the little icon.  Really makes it hard to sandbox the browser.

    Go into IE and type "c:\windows\system32\cmd.exe"  or "file:///c:/windows/system32/cmd.exe".

    You really oughta get current versions of Windows and IE installed before posting this kind of drivel.

    Hint: IE7 has been out for a while now. Perhaps it is time to upgrade?

     

    As for (the almost, sort of valid part of) your complaint, I believe this is as simple as a group policy. Been a while since I needed it, and unable to confirm at the moment. But GIYF.

     

    Really, stop spreading FUD. Especially when you have no clue.

     



  • The command prompt doesn't bypass security. The correct way to secure it is using NTFS, and the command prompt doesn't bypass NTFS. It will give the same error messages as doing it a different way. It must be something else causing it to do that. XP does not make whatever you type in run box as administrator priveleges unless you are logged in as administrator. But you can still type runas /user and stuff like that in the command window to run as administrator. The policy editor doesn't improve the security. One way to make it secure is use program to automatically change everything on the main drive back to how it was before whenever the computer is restarted, now if someone changes something then it will change back when the next person uses it. On my computer, I have 2 accounts 1 called "user" without administrator access and "root" which is administrator access, I also disabled the welcome screen, make it not display last username in login box, and require CTRL+ALT+DEL to login. Usually I use the account called "user" but sometimes I need to access "root" as well, sometimes I use runas and sometimes by log in directly to that account.



  • @zzo38 said:

    One way to make it secure is use program to automatically change everything on the main drive back to how it was before whenever the computer is restarted, now if someone changes something then it will change back when the next person uses it.
     

    Wow. Um. Just wow.

    That is not security... wow...



  • @MasterPlanSoftware said:

    Hint: IE7 has been out for a while now. Perhaps it is time to upgrade?
     

     

    Some places cannot use IE7 because it breaks their internal sites. Yes, I know, it's bad design to make an internal site that only works on one version of one web browser, but it's extremely common, as the hooks that sometimes work best for certain types of apps are broken in a different version of IE.



  • @methuseus said:

    @MasterPlanSoftware said:

    Hint: IE7 has been out for a while now. Perhaps it is time to upgrade?
     

     

    Some places cannot use IE7 because it breaks their internal sites. Yes, I know, it's bad design to make an internal site that only works on one version of one web browser, but it's extremely common, as the hooks that sometimes work best for certain types of apps are broken in a different version of IE.

     

    That doesn't excuse the spreading of erroneous information.



  • @MasterPlanSoftware said:

    Wow. Um. Just wow.

    I was thinking the same thing. I'm having a hard time figuring that one out. I'd think that preventing the changes in the first place would be optimal.



  • @AbbydonKrafts said:

    @MasterPlanSoftware said:
    Wow. Um. Just wow.

    I was thinking the same thing. I'm having a hard time figuring that one out. I'd think that preventing the changes in the first place would be optimal.

     

    Obviously, he is the last person who should trying to provide security advice.



  • @MasterPlanSoftware said:

    @zzo38 said:

    One way to make it secure is use program to automatically change everything on the main drive back to how it was before whenever the computer is restarted, now if someone changes something then it will change back when the next person uses it.
     

    Wow. Um. Just wow.

    That is not security... wow...

    Sadly, this was the security model of my grade school computer system.  They used "Deep Freeze".

    http://en.wikipedia.org/wiki/Deep_Freeze_(software) 



  • Just another thought on the powerfullness of cmd / console apps:
    they're quite powerful.-

    ps: or maybe I should say that Windows Firewall is as weak as a sheet of rice paper -yeah, I'm not really good with the ironic comparisons-. Anyway, the other day I was fooling around trying to learn the basics of winsoc on c++ and just noticed something, the firewall doesn't block sh*t. Even if I manually set the ports I was using as locked, the packets could still be received/sent trhu them!!

     

    edit: btw, my highschool used deepfreeze too, it sucked (+ the comps were PII with low ram / slow HDs, so it took them ages to boot T_T) 



  • @MasterPlanSoftware said:

    @skippy said:

    I'm referring to IE being so tied into the windows system that the only difference between IE and Explorer is the little icon.  Really makes it hard to sandbox the browser.

    Go into IE and type "c:\windows\system32\cmd.exe"  or "file:///c:/windows/system32/cmd.exe".

    You really oughta get current versions of Windows and IE installed before posting this kind of drivel.

    Hint: IE7 has been out for a while now. Perhaps it is time to upgrade?

     

    Although iexplore.exe and explorer are now distinct processes as of IE7 (finally!), IE7 will still automatically launch explorer.exe if you type a local address such as "C:\" (or the file:// equivalent) in the address bar.  This can be used to get out of "Reduced Functionality Mode" in Vista (pre-SP1), where MS attempts to lock everything down except IE7 (you don't even get the explorer process which provides your desktop icons and start menu).  Once you have the explorer file browser window running, you can run explorer.exe again and get your desktop icons/start menu back.  (To be fair, they still successfully locked down other functionality, such as Windows Update).  Maybe it's possible to lock down the "automatically launch Explorer from IE7" functionality, but MS sure forgot to do it.

    (Disclaimer: I have a valid license for Vista, which was preinstalled on a laptop.  I experienced "Reduced Functionality Mode" on another machine, where I was dual-booting Vista for evaluation purposes.  Seriously.) 



  • @CodeSimian said:

    IE7 will still automatically launch explorer.exe if you type a local address such as "C:\" (or the file:// equivalent) in the address bar. 
     

    This is desired behavior for most people. The old behavior has good point, and bad points, and I understand them getting rid of it. The new behavior is what I would expect. Wouldn't you??

    @CodeSimian said:

    This can be used to get out of "Reduced Functionality Mode" in Vista (pre-SP1), where MS attempts to lock everything down except IE7 (you don't even get the explorer process which provides your desktop icons and start menu).  Once you have the explorer file browser window running, you can run explorer.exe again and get your desktop icons/start menu back.  (To be fair, they still successfully locked down other functionality, such as Windows Update).

    If you have set up security properly on the machine in the first place, none of this is an issue.



  • @MasterPlanSoftware said:

    @CodeSimian said:

    IE7 will still automatically launch explorer.exe if you type a local address such as "C:\" (or the file:// equivalent) in the address bar. 
     

    This is desired behavior for most people. The old behavior has good point, and bad points, and I understand them getting rid of it. The new behavior is what I would expect. Wouldn't you??

     

    I agree.

    @MasterPlanSoftware said:

    @CodeSimian said:

    This can be used to get out of "Reduced Functionality Mode" in Vista (pre-SP1), where MS attempts to lock everything down except IE7 (you don't even get the explorer process which provides your desktop icons and start menu).  Once you have the explorer file browser window running, you can run explorer.exe again and get your desktop icons/start menu back.  (To be fair, they still successfully locked down other functionality, such as Windows Update).

    If you have set up security properly on the machine in the first place, none of this is an issue.

    True.  But it is still an issue for Microsoft, in the sense that they likely did not intend that loophole to exist in Reduced Functionality Mode. (I think they already closed the Winkey + U loophole in Reduced Functionality Mode.)   

    My point was that the separation between IE7 and Explorer is still not "airtight" (and probably never will be.)  Like you said, it is not an issue if you have security set up properly on your machine.  Then again, maybe you could say the same thing about the fact that IE6 ~= Explorer.



  • @MasterPlanSoftware said:

    You really oughta get current versions of Windows and IE installed before posting this kind of drivel.

    Hint: IE7 has been out for a while now. Perhaps it is time to upgrade?

     

    God, you really are clueless aren't you?  Not everything in this world is "bleeding edge."  I did this work like 4-5 years ago, so IE 6 was still new.  And I'd hate to inform you, but out here in "the real world" (aka, not in the basement trolling), companies still have IE7 updates blocked, like the company I work for.  So, it's really not that far-fetched.  And you know what, IE7 can STILL do that.  It's only finally in Vista that they added proper secure IE browser support.  Try taking a win9x or Win2k box on a domain and try to make a truly secure login account.  Long story short, it's impossible.

    /me returns to ignoring MasterPlanSoftware using GreaseMonkey



  • @skippy said:

    Not everything in this world is "bleeding edge."
     

    Especially you, apparently.

    @skippy said:

    Try taking a win9x or Win2k box on a domain and try to make a truly secure login account.  Long story short, it's impossible.
     

    Obviously you don't have any clue what you are doing then...

    @skippy said:

     * skippy returns to ignoring MasterPlanSoftware using GreaseMonkey

    If only they made an add on that would get you to think before you type...



  • @skippy said:

    Not everything in this world is "bleeding edge."

    Hmm, if you aren't upgrading to the newest versions of software it would seem to be your problem and not Microsoft's.  It's pointless to whine about security holes that were publicly disclosed and patched years ago.  Also, it's irrelevent to this discussion because even IE6 won't let you bypass proper NTFS permissions.

     

    @skippy said:

    Try taking a win9x or Win2k box on a domain and try to make a truly secure login account.

    If a business is still using 9x on any machine that is a serious fuck-up.  And it is completely possible to secure a Win2k box (well, as secure as you can make any complex piece of software). 





  • What exactly is the difference between IE 6 and 7's local file browsing? I don't have 6 to test on any more, but 7 will happily autocomplete what you type in the address bar and offer to download or run cmd.exe.



  • @Cap'n Steve said:

    What exactly is the difference between IE 6 and 7's local file browsing? I don't have 6 to test on any more, but 7 will happily autocomplete what you type in the address bar and offer to download or run cmd.exe.
     

    With IE6, the Windows shell and IE were pretty much the same thing.  Starting with IE7, they are different processes, for various reasons. 

     http://support.microsoft.com/kb/928675

    In Microsoft Internet Explorer 6 for Microsoft Windows XP, you experience in-place browsing, regardless of whether you are running Internet Explorer (IExplore.exe) or the Windows shell (Explorer.exe). When you use Internet Explorer 7 (IExplore.exe) to view a Windows shell folder, browsing uses the Explorer.exe program.

    In Windows XP, you can seamlessly browse Web pages and Windows folders in-place. This behavior occurs because Internet Explorer 6 and the Windows shell were basically the same program but used different user interface (UI) entry points. A key principle of Internet Explorer 7 is that the installation of a new version of Windows Internet Explorer does not update the Windows shell. Such behavior would have a large effect on the user experience, on functionality, and on stability. Therefore, the components that were previously shared with the Windows shell, such as the main window, the Address bar, and the toolbars, are not updated for Windows XP with SP2 and for Windows Server 2003 with SP1. Instead, Internet Explorer 7 installs newer components for its own use. This behavior significantly reduces compatibility risks and the need for corporate customers to test the Windows shell for Windows Internet Explorer updates.

     

    In Windows Vista, Web browsing and shell browsing must be separated to maintain security and functionality.

     



  • heh. this reminds me of what we do on in the swiss army (i'm in military communications)

    during my basic training in 2001 the laptops we used to configure and maintain the communications devices (stuff like this) were ordinary 'civil' ibm thinkpads running winnt 4.

    meanwhile they have been replaced by amrel laptops) running winxp.

    those laptops lack some important sofware such as video player/codecs, etc ;)

    on the ibm laptops, they used policies to hide most of the stuff, but forgot to disable creating shortcuts on desktop --> one shortcut to cmd.exe and we were back in business.

    the new laptops with winxp the user we work with actually has limited rights.... we know the username of the admin user, but we don't know it's password.

    but we found out how to change the users password without knowing it:

    net user THAT_OTHER_USER my_new_passwd

    changes the password without asking for the old one. then we finally are able to install stuff like videolan and enable the dvd rom drive so watching over the communication devices for a couple of hours does not get that boring anymore ;)



  •  @Cap'n Steve said:

    What exactly is the difference between IE 6 and 7's local file browsing? I don't have 6 to test on any more, but 7 will happily autocomplete what you type in the address bar and offer to download or run cmd.exe.

    So will Firefox. What was your expectation?



  • @ZippoLag said:

    just noticed something, the firewall doesn't block sh*t. Even if I manually set the ports I was using as locked, the packets could still be received/sent trhu them!!
     

    Perhaps you should read more about Windows Firewall before you post.

    Windows Firewall only blocks incoming, not outgoing, packets. It was designed that way intentionally. (ZoneAlarm gets too many support issues from non-tech people because someone tells them they should install it, they do, and then don't know enough about their computers to know what to allow and disallow; they end up either allowing everything, negating the whole firewall installation, or disallow everything and then need help because they can't do anything internet or web related.)



  • @MasterPlanSoftware said:

     @Cap'n Steve said:

    What exactly is the difference between IE 6 and 7's local file browsing? I don't have 6 to test on any more, but 7 will happily autocomplete what you type in the address bar and offer to download or run cmd.exe.

    So will Firefox. What was your expectation?

    That was what I expected. Your previous post seemed to imply that you couldn't get to cmd.exe through IE7. And for what it's worth, IE is the only one that autocompletes local file names.



  • @Cap'n Steve said:

    That was what I expected. Your previous post seemed to imply that you couldn't get to cmd.exe through IE7.

    Why does it matter if you can get to cmd.exe?  It won't launch with any permissions your user doesn't already have.

     

    @Cap'n Steve said:

    And for what it's worth, IE is the only one that autocompletes local file names.

    Once again, why does that matter?  It's only going to autocomplete files you have read access to.  It's not like IE bypasses all of the kernel security and gives a user access to anything on the system. 

     



  • @morbiuswilters said:

    Why does it matter if you can get to cmd.exe?  It won't launch with any permissions your user doesn't already have.

    Well, obviously it matters to a lot of schools, libraries, etc., which is why this thread exists in the first place. I was just pointing it out because someone mentioned using IE to open cmd.exe and was told to update IE, which makes absolutely no difference. I pointed out the autocomplete as a leftover from when IE and Explorer were exactly the same. I guess you could use that to snoop around if you were on a partially locked down computer and weren't sure what you were looking for.



  •  the problem is that you want to limit users to Internet Explorer, and now you've got them running Solitaire.



  • @tster said:

     the problem is that you want to limit users to Internet Explorer, and now you've got them running Solitaire.

     

    Then turn the ability off.



  • @MasterPlanSoftware said:

    Then turn the ability off.

    No shit.  Removing shortcuts from the desktop != restricting the ability of users to access those programs.  I can't believe this has to be explained.  Either delete the apps you don't want or make them unreadable by the group you want to restrict.  Christ..



  • @morbiuswilters said:

    @MasterPlanSoftware said:

    Then turn the ability off.

    No shit.  Removing shortcuts from the desktop != restricting the ability of users to access those programs.  I can't believe this has to be explained.  Either delete the apps you don't want or make them unreadable by the group you want to restrict.  Christ..

     

    One has to wonder what moron would INSTALL solitaire on a computer that they didn't want it played on...

    But I digress. Clearly this is just another example of a[n] (non-existent) issue that is being beaten to death by people who decided to come in at the last minute and try and fan the flames all over again.



  • @El_Heffe said:

    Then, entirely by accident, I discover:

    I can't stop giggling about this.

    "See, I was just sitting there, minding my own business, when I inadvertently dragged these exact files I needed onto my USB drive. And then when I went to copy them back off, my mouse hand bumped the USB drive and it fell out, so I had to crawl under the table to get it and - per company security policy - logged out of the machine before doing so. When I went to put it back in, I had forgotten which computer I was using, so I plugged it into the other one... you know, the one where I wanted to copy the files, only I couldn't because I'm so compliant with security policy... and then when I logged in, I thought 'wow, I miss the command prompt' and typed CMD.EXE in the 'Run' dialog so I could reminisce about the days of DOS, and it was only after I had copied those files back off the USB drive that I realised I was using the wrong computer! It was a TOTAL ACCIDENT!"

     



  • @KenW said:

    @ZippoLag said:

    just noticed something, the firewall doesn't block sh*t. Even if I manually set the ports I was using as locked, the packets could still be received/sent trhu them!!
     

    Perhaps you should read more about Windows Firewall before you post.

    Windows Firewall only blocks incoming, not outgoing, packets. It was designed that way intentionally. (ZoneAlarm gets too many support issues from non-tech people because someone tells them they should install it, they do, and then don't know enough about their computers to know what to allow and disallow; they end up either allowing everything, negating the whole firewall installation, or disallow everything and then need help because they can't do anything internet or web related.)


Log in to reply