Possible trouble with SuRun elevations

View previous topic View next topic Go down

Possible trouble with SuRun elevations

Post by p2u on 14/2/2011, 16:57

Posted by MrBrian on wilderssecurity today: SuRun elevations can allow malware to elevate in a standard account (example with elevated command prompt).

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by ssj100 on 14/2/2011, 23:05

I don't really see anything surprsing there. For me, elevating a process to Administrator level via SuRun is always intentional. It's like installing a program on the REAL system - you'll need Administrator level access to do this most of the time (in order for the program to install properly).

However, as far as I understand it, this issue with SuRun would only apply if malware already got on to the REAL system and was able to execute in the Limited User Account (and then wait to associate itself to a SuRun-elevated process).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by p2u on 14/2/2011, 23:29

ssj100 wrote:I don't really see anything surprsing there. For me, elevating a process to Administrator level via SuRun is always intentional.
If I understand everything correctly, then the surprising thing is that not only the process you intended to elevate is elevated.
P.S.: I NEVER elevate anything in my limited account. If I get an alert while testing, I pretend not to know the admin password. Otherwise everything is set up in such a way that I (and all other limited users on this computer) will NOT get any UAC alerts at all.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by ssj100 on 14/2/2011, 23:32

p2u wrote:If I understand everything correctly, then the surprising thing is that not only the process you intended to elevate is elevated.
For me, I always "felt" that SuRun potentially created a "hole" for malicious processes to elevate themselves. However, this "hole" essentially becomes irrelevant with the use of Sandboxie + SRP.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by MrBrian on 15/2/2011, 06:15

ssj100 wrote:However, as far as I understand it, this issue with SuRun would only apply if malware already got on to the REAL system and was able to execute in the Limited User Account (and then wait to associate itself to a SuRun-elevated process).

That's correct. Using SRP or similar is highly recommended. As p2u noted, never elevating by any means is the safest thing to do.

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

View user profile

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by ssj100 on 15/2/2011, 06:48

MrBrian wrote:As p2u noted, never elevating by any means is the safest thing to do.
Yes indeed, but then convenience/usability would be lost (particularly on XP). But as I mentioned, having a good security setup/approach essentially makes this issue irrelevant, and regardless, the "risk" is on the same level as mistakenly installing a malicious program on the REAL system with Administrator rights.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by p2u on 15/2/2011, 17:26

ssj100 wrote:
MrBrian wrote:As p2u noted, never elevating by any means is the safest thing to do.
Yes indeed, but then convenience/usability would be lost (particularly on XP).
Not necessarily. It all depends on what your every-day tasks are. I often see people unnecessarily elevate while they would be better off just giving "write" permissions to authenticated users for certain folders/files only.
P.S.: On XP, I used to disable RunAs and made it unavailable for users. Besides, Secondary Logon and Fast User Switching were disabled. I can't do that on Vista, since Parental Control depends on UAC, and UAC depends on RunAs...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by ssj100 on 15/2/2011, 23:15

p2u wrote:Not necessarily. It all depends on what your every-day tasks are.
Yes of course, but then my "every-day tasks" are not typical of the "every-day" user haha. But for many people, they should not need to elevate (particularly on Vista/7) on most days.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Possible trouble with SuRun elevations

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum