morph3us.org

The topic of this blog post is already more than one and a half year old - have a look at the thread posted at BuHa forums (sry, German only). In fact it's pretty possible that this issue is much more longer known but regrettably I could not find any information regarding this topic.

If a user with unsufficient privileges (e.g. users in users or power users group) tries to terminate a privileged process using the Windows task manager `taskmgr.exe' (or another arbitrary task manager like Sysinternals's process explorer) the manager will display an access denied message and nothing will happen. Alright, but how the system reacts if we try to kill it's system process with a privileged user account? Please note that I'm talking about the real system process with PID 4 (at least if we use Windows XP). We would suppose that the task manager displays a message which informs the user that it's not possible to terminate this process like it does it for `winlogon.exe', `lsass.exe', `csrss.exe' and so on but it does not.

I'm not sure if I should laugh or cry.. but I think it's better to laugh on it. :oP

Yeah, I know you do not know what I'm talking about - I speak about a recently posted "advisory" on Bugtraq (Bugtraq: securityfocus.com) with the title Microsoft Windows CreateRemoteThread Exploit.

Maybe somebody should tell this guy that Windoze has several privileges and more importantly security descriptors. That means that nobody is able to call OpenProcess() on processes which do not belong to him without having the SeDebugPrivilege or rather be able to gaining it. By default only Administrators own this mighty privilege and an Administrator is not limited to anything therefore it's bullshit to claim that it's a exploit to be able to use OpenProcess() and CreateRemoteThread().

To open a handle to another another process and obtain full access rights, you must enable the SeDebugPrivilege privilege. For more information, see Changing Privileges in a Token.

MSDN: OpenProcess()