USB Stick of Death: Not Really Low Severity

by kriggins on October 22, 2012

in Uncategorized

On October 21st, 2012, Mateusz “j00ru” Jurczyk, published a blog post describing an exploit he developed which allows one to execute a privilege escalation attack on Windows 7. The attack results in one having SYSTEM level permissions on the machine. SYSTEM is the highest level of permissions one can have, even higher than administrative permissions.

You can read the details about the exploit here. I Suggest you do read it. It is very interesting.

In the post the following statement is made:

...requires the attacker to obtain physical access to the machine and have a local user in the system. Consequently, the only scenario in which it might be a problem security-wise is a local computer shared between multiple users with restricted privileges (e.g. schools, universities, hostels) and thus has been rated as low-severity by both us and MSRC,...

Let's see. Where else might there be situations where this might be of concern? How about any organization that restricts its users from having administrative privileges on their workstations.

Wait, you mean there are places that enforce least privilege on their users?


I work for one. I also know of several government entities that also restrict administrative privileges for most users.

Color me crazy, but I'm pretty sure those organizations would not consider the ability to easily elevate privileges as a "low-severity" vulnerability.

Just sayin'.

What do you think?


{ 9 comments… read them below or add one }

LonerVamp October 23, 2012 at 12:17 pm

It’s been my observation that most Elevation of Privilege issues in Windows components, specifically OS-wide components, scores a 7 on the CVSS by default, and adjusts from there. (A recent SharePoint one dropped just under, and most score just over.) A score of 7 on the CVSS roughly will equate to a “high” in PCI auditor eyes, which means it must be fixed or mitigated. That’s pretty important.

Besides which I agree fully with your practical assessment. Every one of my Windows 7 systems can now be rooted. If someone knows how to root it, they know how to pilfer admin rights (most likely shared amongst whole departments if not the whole business) or trick an admin into walking over and logging in for some help. This is a Big Deal in being able to trust the systems in your internal network.


Leave a Comment

Previous post:

Next post: