Hacker News new | past | comments | ask | show | jobs | submit login
Finding Privilege Escalation Vulnerabilities in Windows Using Process Monitor (cert.org)
25 points by po 1 day ago | hide | past | favorite | 8 comments

%20 is not HTML encoded, it is URL encoded. If it were HTML encoded, it would have been   or  .

Removing write rights on the C: root is the first thing I do on any PC I deploy... ;-) It can mitigate quite some vulnerabilities, and it was already true 20 years ago...

Why does a program needs elevated privileges to load a DLL ?

What section are you referring to?

Most of this article is about privileged processes incorrectly loading shared libraries.

"When a program is installed on the Windows platform, some components of it may run with privileges, regardless of which user is currently logged on to the system. "

So i understand that a normal program may have code (for example DLL loading code) which runs with elevated privileges.

The article is using "program" more in the sense of a package -something that might contain multiple executables - rather than a single executable.

Mentioned a little after that sentence:

  These privileged components generally take two forms:
  - Installed services
  - Scheduled tasks
So another way to put the article text might be:

  When an application is installed on a Windows system, multiple executables may be installed. Some of these executables may be configured to run as part of a system service (akin to a *nix daemon) or scheduled task (similar to a cron job). Both system services and scheduled tasks may run with privileges separate from those of the currently logged on user.
Essentially, Windows services are equivalent to *nix daemons. Just like certain *nix daemons, Windows services are used to carry out more "system oriented" tasks (such as installing software updates), and can't necessarily run correctly with (possibly restricted) privileges of the currently logged in user. Furthermore, they may need to run regardless of whether a user is even logged in.

Scheduled tasks are similar to services in many aspects - they may require a static set of privileges, and may need to be run even when there is no currently logged in user. They just have the added requirement that they should be run at certain times or when certain events occur.

You can run some dlls as separate processes (manually using rundll32, or from another process). If you ask a privileged process to start these processes they can also have more privileges than you have yourself.

But you can’t have part of a process have more privileges than another part of that same process.

In this sentence "components" refers to system services or scheduled tasks which are part of a "program". Take "program" as the package you download and install.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact