Mail Archives: cygwin/2003/06/09/00:27:13
At 07:49 AM 6/9/2003 +0400, CoolCold wrote:
>Hello Pierre,
>>
>PAH> How do you know sshd works?
>PAH> Can you telnet into the box as a normal user?
>
>coolcold AT workstation ~
>$ ssh gars AT localhost
>gars AT localhost's password:
>gars AT workstation ~
>$ id
>uid=1004(gars) gid=513(None) groups=513(None),547(Power Users),545(Users)
>so it works ;)
Yes. Stranger and stranger.
Can you sshd as coolcold (the user with uid 1003)?
Can you telnet as gars and/or coolcold
Can exim deliver mail to gars?
>PAH> What version of Windows do you have?
>Windows 2003 Enterprise
>gars AT workstation ~
>$ cmd -c ver
>Microsoft Windows [Version 5.2.3790]
>(C) Copyright 1985-2003 Microsoft Corp.
Don't know about that one. There have been setuid problems
reported with Windows server 2003. See list.
>PAH> Does "ps -a" show that inetd has uid 18?
>gars AT workstation ~
>$ ps -a|grep 18
> 3440 1 3440 3440 ? 18 03:28:47 /usr/bin/cygrunsrv
> 2240 3440 3440 3708 ? 18 03:28:47 /usr/bin/exim-4.20-1
> 1568 1 1568 1568 ? 18 06:46:10 /usr/bin/cygrunsrv
> 3332 1568 1568 2924 ? 18 06:46:10 /usr/sbin/sshd
> 3356 3332 3356 3356 ? 18 06:46:15 /usr/sbin/sshd
> 3888 3356 3888 3980 1 1003 06:46:18 /usr/bin/bash
> 3480 3332 3480 3480 ? 18 07:39:31 /usr/sbin/sshd
>
>PAH> Does uid 18 appear several times in /etc/passwd ?
>gars AT workstation ~
>$ less /etc/passwd |grep ":18"
>SYSTEM::18:544:,S-1-5-18:/:/bin/bash
>
>>>In windows' event log I can see:
>>>Event Type: Success Audit
>>>Event Source: Security
>>>Event Category: Privilege Use
>>>Event ID: 576
>>>Date: 6/9/2003
>>>Time: 6:46:18 AM
>>>User: WORKSTATION\coolcold
>>>Computer: WORKSTATION
>>>Description:
>>>Special privileges assigned to new logon:
>>> User Name: coolcold
>>> Domain: WORKSTATION
>>> Logon ID: (0x0,0x6526FC)
>>> Privileges: SeChangeNotifyPrivilege
>>> SeBackupPrivilege
>>> SeRestorePrivilege
>>> SeDebugPrivilege
>
>PAH> That looks normal and not related to the problem.
>PAH> Wait. What happened at 6:46 am? Did you login at the console
>PAH> or did you do something else?
>this message is from "login system" command:
>gars AT workstation ~
>$ login system;date
>Switching to user system failed!
>
>Mon Jun 9 07:46:14 RDT 2003
Wait. The date above is 07:46:14. The dates below in the log
are 7:39:33 AM
>this is from windows event log:
>Event Type: Success Audit
>Event Source: Security
>Event Category: Privilege Use
>Event ID: 576
>Date: 6/9/2003
>Time: 7:39:33 AM
>User: WORKSTATION\gars
>Computer: WORKSTATION
>Description:
>Special privileges assigned to new logon:
> User Name: gars
> Domain: WORKSTATION
> Logon ID: (0x0,0x71380D)
> Privileges: SeChangeNotifyPrivilege
>
>For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>----
>Event Type: Success Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 528
>Date: 6/9/2003
>Time: 7:39:33 AM
>User: WORKSTATION\gars
>Computer: WORKSTATION
>Description:
>Successful Logon:
> User Name: gars
> Domain: WORKSTATION
> Logon ID: (0x0,0x71380D)
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: WORKSTATION
> Logon GUID: -
> Caller User Name: WORKSTATION$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 3480
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>
>
>PAH> Is there anything in the application log?
>PAH> Is there anything interesting in /var/log/xxx.log ?
>mmm...nothing really.
>
>PAH> Pierre (who sees it's 11:30 PM)
>
>Best regards, CoolCold
>Time:7.49AM ,Jun 09 2003
I'll sleep over this!
Meanwhile you should find another way to become SYSTEM.
There was a recent mail from Corinna explaining how
to do it with ssh. Others are using another trick involving
scheduling run as, or some such.
Once you are SYSTEM, try running
strace login
Pierre
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -