Subject: unrestricted system threads cause privilege escalation. I believe there is a security problem concerned with privilege escalation in at least in windowsXP/windowsXP+SP1/windows2000. Although it is not that important, nor OS structure problem, just like programing miss, it compromise Local Security like the problem of "ServiceManager predictabl namedpipe usage". Maybe someone had ever found this problem because it is so "obvious". By the way, i believe the problem exists in all NT/2K/XP version. Target environment: ( tested by now ) Windows XP( Japanese Build 2600 ) + SP1 Windows XP( English Build 2600 ) Windows 2000 Japanese without SP1 Symptom: 1. Winlogon.exe( highly privileged ) have 1 or 2 threads which grant FullAccess to current logon user 2. Winlogon.exe( highly privileged ) create 1 thread which grant FullAccess to current logon user when play sound for sound event scheme. 3. Lsass.exe( highly privileged ) create 1 thread which grant FullAccess to current logon user somtimes( maybe when use internet explorer or WMI script ) 4. wmiprvse.exe( not highly privileged) create 1 or 2 threads which grant FullAccess to current logon user when execute WMI script Besides, all those threads above use have not been set a impersonate token, which means it use primary token of its owner process. in a word, in some important service( mostly runs as SYSTEM identity), some thread security setting is not restricted. Malicious usage: A malicious user log on local machine as a general user, open those threads descripted above with THREAD_ALL_ACCESS permission, then 1. call NtImpersonateThread to impersonate the security context of the target thread which turn to target process token, In a result, he can get SYSTEM privilege. 2. call SetThreadContext to point target thread to any address( but general register have no effect when targert thread is in-calling kernel service ). In a result, target process pop up exception, system could shutdown. For a non-service target process in XP, error report windows will pop up, furthermore, Click its "Help" to popup iexplorer then do anything in the security context of the target process. Importance: Like pipupAdmin security problmen ( ServiceManager predictabl namedpipe usage ) TestProgram: ptsec.exe ( source is at the end ) execute ptsec.exe without parameter to see help. TestStep: 1. logon Local Machine as a general user, 2. execute "ptsec.exe /d" to discover any problematic thread sample output: ... ... -------------exploitable thread 1452 of prrocess 456 (winlogon.exe)------------ thread 1452 DACL: ACE0 Mask=0x001f03ff Flag=0x00000000 OSEXP\q ACE1 Mask=0x001f03ff Flag=0x00000000 NT AUTHORITY\SYSTEM thread 1452 Token: NULL( use PrimaryToken( token of process ) ... ... -------------exploitable thread ??? of proocess ??? (lsass.exe)------------ ... ... 3. select a thread is listed above, eg. 1452, execute "ptsec /t 1452 /i" to impersonate target thread 1452 which in turn impersonate winlogon.exe. if succeed, a new console pop up, it runs as SYSTEM identity. alternatively, you can execute ptsec /di to automatically choose a thread to impersonate Source and executable file: www.geocities.com/msdev6/ptsec.zip