Windows XP Privilege Escalation Exploit - No, it isn't.

The recently surfaced "Windows XP Privilege Escalation Exploit" is really no such thing. In fact, it's not even close. At first glance, it does look valid enough, but the fact remains that it's not even close to being a real exploit. Let me explain why. In the original article, you can read:
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
While this is true, one rather important thing is left out. You need to have local administrator access to be able to do this. This whole "exploit" is based on scheduling a task and having it run as local system. By default, the only account(s) that can schedule tasks on Windows XP and Windows Server 2003 (and I imagine Vista too) are members of the local administrators group. Imagine that? For this so-called exploit to be possible, you have to have local administrator privileges! The original author claims that you can even reset the administrator password this way. Well, so can any user that has local administrator access to begin with. Where is the problem? The only scenario were this might be a problem if some system administrators lets their users schedule commands on domain controllers, or other servers, but that would be very bad system administration to begin with. And we all know what problems bad sysadmins can get themselves into. What annoys me with this whole thing, is that everyone and their mother seems to be jumping on the bandwagon and screaming exploit. It's not! Being able, as administrator, to run a command prompt or even a whole desktop as local system poses no significant risk what-so-ever. Move on, there is nothing to see here. I claim FUD.

Posted by Christian Mohn aka h0bbel

Post metadata


Published September 22, 2006 23:47
15 comments

Tagged with , , , , , and

15 Responses to Windows XP Privilege Escalation Exploit - No, it isn't.:

  • Ryan Duff
    September 23, 2006 1:18pm

    /me thinks its a noob with a new install of windows and his account is an administrator account by default. That explains the fact of how he thinks he’s gaining system level access… he already is an administrator! Damn Secure Windows!

  • h0bbel
    September 23, 2006 4:49pm

    This thing has been around for a while, but when I saw it appear on Digg again yesterday it was like someone waved a red flag at me. This whole thing has no merit what-so-ever.

  • Viper007Bond
    September 29, 2006 7:27pm

    I can hack my PC. All I have to do is install a Trojan on it!

  • h0bbel
    September 29, 2006 7:28pm

    You can even format your own drive!!

  • Windows XP password hoax - h0bbel
    October 9, 2006 12:28am

    […] This is another example of a “security issue” that isn’t even close to being one. The other one is a bit more clever though, this one is just plain stupid. Technorati Tags: Computing, hack, password, security, windows, Windows XPComputing, hack, password, security, windows, Windows XP […]

  • Windows XP Password Hoax: II - h0bbel
    November 3, 2006 2:23pm

    […] Yet another “how to change the administrator password in Windows” hoax is in the wild. […]

  • trollmind
    March 4, 2007 11:37pm

    As an IT Administrator i can show you that even with a simple Domain User account you can do this exploit, so you do not need to be local administrator…
    The user just need to have access to a command line tool..

  • h0bbel
    March 5, 2007 12:04am

    Feel free to prove me wrong, but until someone shows me how this can be done without LOCAL administrative access I call scaremongering and false accusations.

  • coComment - Site comments by h0bbel
    March 16, 2007 10:32am

    View this article on its blog

  • ???
    July 1, 2007 5:24pm

    trollmind, you may be able to access CMD Prompt from a normal domain user but you cant run the “AT” command.

  • shem
    September 5, 2007 6:28pm

    i didn’t try it, but i imagine maybe it could be an exploit IF.. you could bring up a CMD window BEFORE logging in on the log in window. like if you do the “sticky keys” sethc.exe switcheroo.. then you can go from anyone to SYSTEM.

    but i think the general idea about doing it from inside windows as an “exploit” by itself is fucktarded.

  • shem
    September 5, 2007 6:33pm

    nevermind. i see that a cmd window on the login is already SYSTEM.

  • Longpoke
    January 9, 2008 8:33pm

    Actually this is an exploit… It exploits an old vulnerability in the Windows Kernel which allows you to escalate to SYSTEM which is pretty much as high as a user can go without Ring0.

  • NoTiCe
    January 26, 2008 8:30pm

    This is a known XP exploit.
    I learnd it on my lession. It’s not for guy who want to get access for his girlfriends cmp. It’s an ‘exploit’ to get System priv. It’s good for many things. Google it.
    thats all.

  • yesk13
    May 9, 2008 6:48pm

    Never the less, it is escalation of privileges from admin to system. which is higher. not the kind of exploit you can use on the library or school computer.

3 Pingbacks to Windows XP Privilege Escalation Exploit - No, it isn't.:

Leave a Reply

Contact me

Lets talk!
Get in touch