The recently surfaced "Windows XP Privilege Escalation Exploit" is really no such thing. In fact, it's not even close. At first glance, it does look valid enough, but the fact remains that it's not even close to being a real exploit.
Let me explain why. In the original article, you can read:
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
While this is true, one rather important thing is left out. You need to have local administrator access to be able to do this. This whole "exploit" is based on scheduling a task and having it run as local system.
By default, the only account(s) that can schedule tasks on Windows XP and Windows Server 2003 (and I imagine Vista too) are members of the local administrators group. Imagine that? For this so-called exploit to be possible, you have to have local administrator privileges!
The original author claims that you can even reset the administrator password this way. Well, so can any user that has local administrator access to begin with. Where is the problem? The only scenario were this might be a problem if some system administrators lets their users schedule commands on domain controllers, or other servers, but that would be very bad system administration to begin with. And we all know what problems bad sysadmins can get themselves into.
What annoys me with this whole thing, is that everyone and their mother seems to be jumping on the bandwagon and screaming exploit. It's not! Being able, as administrator, to run a command prompt or even a whole desktop as local system poses no significant risk what-so-ever.
Move on, there is nothing to see here. I claim FUD.
18 Comments so far
Ryan Duff, on September 23, 2006 at 1:18pm, said:
/me thinks its a noob with a new install of windows and his account is an administrator account by default. That explains the fact of how he thinks he's gaining system level access... he already is an administrator! Damn Secure Windows!
Edit Comment
h0bbel, on September 23, 2006 at 4:49pm, said:
This thing has been around for a while, but when I saw it appear on Digg again yesterday it was like someone waved a red flag at me. This whole thing has no merit what-so-ever.
Edit Comment
Viper007Bond, on September 29, 2006 at 7:27pm, said:
I can hack my PC. All I have to do is install a Trojan on it!
Edit Comment
h0bbel, on September 29, 2006 at 7:28pm, said:
You can even format your own drive!!
Edit Comment
Windows XP password hoax - h0bbel, on October 9, 2006 at 12:28am, said:
[...] This is another example of a “security issue” that isn’t even close to being one. The other one is a bit more clever though, this one is just plain stupid. Technorati Tags: Computing, hack, password, security, windows, Windows XPComputing, hack, password, security, windows, Windows XP [...]
Edit Comment
Windows XP Password Hoax: II - h0bbel, on November 3, 2006 at 2:23pm, said:
[...] Yet another “how to change the administrator password in Windows” hoax is in the wild. [...]
Edit Comment
trollmind, on March 4, 2007 at 11:37pm, said:
As an IT Administrator i can show you that even with a simple Domain User account you can do this exploit, so you do not need to be local administrator...
The user just need to have access to a command line tool..
Edit Comment
h0bbel, on March 5, 2007 at 12:04am, said:
Feel free to prove me wrong, but until someone shows me how this can be done without LOCAL administrative access I call scaremongering and false accusations.
Edit Comment
coComment - Site comments by h0bbel, on March 16, 2007 at 10:32am, said:
View this article on its blog
Edit Comment
???, on July 1, 2007 at 5:24pm, said:
trollmind, you may be able to access CMD Prompt from a normal domain user but you cant run the "AT" command.
Edit Comment
shem, on September 5, 2007 at 6:28pm, said:
i didn't try it, but i imagine maybe it could be an exploit IF.. you could bring up a CMD window BEFORE logging in on the log in window. like if you do the "sticky keys" sethc.exe switcheroo.. then you can go from anyone to SYSTEM.
but i think the general idea about doing it from inside windows as an "exploit" by itself is fucktarded.
Edit Comment
shem, on September 5, 2007 at 6:33pm, said:
nevermind. i see that a cmd window on the login is already SYSTEM.
Edit Comment
Longpoke, on January 9, 2008 at 8:33pm, said:
Actually this is an exploit... It exploits an old vulnerability in the Windows Kernel which allows you to escalate to SYSTEM which is pretty much as high as a user can go without Ring0.
Edit Comment
NoTiCe, on January 26, 2008 at 8:30pm, said:
This is a known XP exploit.
I learnd it on my lession. It's not for guy who want to get access for his girlfriends cmp. It's an 'exploit' to get System priv. It's good for many things. Google it.
thats all.
Edit Comment
yesk13, on May 9, 2008 at 6:48pm, said:
Never the less, it is escalation of privileges from admin to system. which is higher. not the kind of exploit you can use on the library or school computer.
Edit Comment
Anonymous, on June 16, 2009 at 4:36am, said:
The exploit doesn't work on XP sp2 or sp3 without admin rights so it is useless!!!!!
Edit Comment
Christian Mohn (h0bbel), on June 16, 2009 at 11:24pm, said:
@Anonymous: Yes it's useless on SP2 and SP3, and it's been pretty much useless from the start. Notice the "No it isn't" part of the post title?
Edit Comment
Anonymous, on March 9, 2010 at 6:20am, said:
just give me the admin user/password, I'll show you how to hack windows XP
Edit Comment