13 comments on “Elevating privileges by exploiting weak folder permissions

  1. Hi,

    As the name of the software you use to display dll libraries?
    As shown in the fourth screenshot of this post.


  2. Hi,
    I tried with IDA Pro Free v6.0 and is very much like IDA Pro (shareware).
    It is also a great option OllyDbg.
    What do you think?

  3. FYI, I reached out to Microsoft about these services and the dll’s not being fully qualified. They responded with:

    “I believe that all of these binaries live in directories that require Admin privileges to write to, such as System32 and “Program Files”. As such, we don’t consider the non-fully qualified path to be a vulnerability in these cases.”

  4. I asked Microsoft about services looking for DLLs that don’t exist on the machine and this is their response:

    “We fully qualified the paths for those binaries in Windows 8 as a Defense-in-Depth measure. For earlier versions, the attack can only be performed if the user can change the PATH environment variable, which requires administrator privileges. Thus, it doesn’t meet our bar for a security bulletin.”

    Looks like they’re improving Windows 8 and beyond to use fully qualified paths, but as you need local admin to alter the PATH variable they’re not too worried.

    I did some work on unquoted paths in services earlier (MS13-058), and because you needed local access it took a while to get it recognised. This is different than yours as you point out, as weakened permissions are the default (even on Windows 8) and could occur when other 3rd party apps are updating the PATH variable.

    Thanks again for publishing this.


  5. So I followed your directions above and ensured my python directory had the correct permissions. Environment variables are properly set, I am using a Windows 7 SP1 x64 VM and reboot. When I come up the service is started and everything looks like it should work but I have 0 results.

    Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *