legend

Access Manager - A very useful tool for users in a domain

18 posts in this topic

Today I came by a freeware tool named Access manager.

 

It will allow standard users to evaluate a uac prompt with administrator rights, without the need of the login to the administrator user.

How that is possible, I have no clue.

 

It's meant for:

 

Let's say you work in a company as a IT guy, and your users aren't administratos on their machines, because of all the security risks,

this tool allows your non admin users to click on a tray icon, and then they gain admin rights for 2 minutes, so they can install their third part tools in those 2 minutes, and then they will be back to their normal rights again,

this does no require the user to log off and in again, they simply click the tray icon, and they will have admin rights.

 

Try to make a script that uses #requireadmin on a standard user, and run it.

then click the traymenu from access manager, and run the compiled file again, you will be able to login with the password of the standard user, and it will run the compiled script with admin rights.

 

Does anyone got any clue, how this even is possible?

 

Site: https://nolightpeople.com/downloads

Share this post


Link to post
Share on other sites



@legend you have been around long enough to know that General Help and Support is not the forum if you don't actually have a question about AutoIt. Moved to a more appropriate spot. 


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Sorry about that, my mistake.

Share this post


Link to post
Share on other sites

I would be interested in the GP changes made, and what attack vectors this is creating.  If you have a tool that bypasses UAC, you dont have UAC, imho.  However, there are some smart folk from the community around that project so it will probably enjoy great scrutiny.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Jesper Nielsen, Thomas Marcussen, and Per Larsen (may just be an advocate and not a participant), should already be followed on Twitter if you have to deal with deployments and SCCM.  They are legit (writing the site in danish and letting google translate it might be better than the grammar errors), however I would really want to diff some systems to see how this mechanism is being enacted, for damn sure prior to deploying it on an Enterprise.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

8 minutes ago, JohnOne said:

Looks like it just temporarily adds the user to local admin group.

As far as I know, that is what it does, but shouldn't that require admin rights 0_o?

 

If I try to add my standard user from cmd, (being logged in as the standard user, I get access denied:

net localgroup administrators test /add

 

This tool seems to be able to do it without administrator rights, i'm not sure how

Edited by legend

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

1 minute ago, JohnOne said:

Access Director is most likely running as system account or another admin account.

I'll stop thinking that if you tell me you don't need admin rights to install it.

JohnOne, Thank's for pointing me in the right direction, of course, that must be the answer, it requires admin rights to run,

so what it does when you install it with admin rights, it will grab the password, probably as a hash from the local administrator, and it will then use it to add the standard user to the administrator group. That is most likely how it works I can imagine.

Edited by legend

Share this post


Link to post
Share on other sites

Sounds like something any good IT department would delete as soon as they got wind of it. I sure as hell wouldn't let this anywhere near the domain I'm on, and I'd probably get fired if I was stupid enough to install it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

BrewManNH, all our users are local administrators, they have always been that, even it's a big security risk.

This tool can help the users, still being able to install the software they need, but 99,9% of the time, they won't be administrators,

I see what you mean, but in our case, it could probably be a good thing. (i'm not interested in using the tool, but i'm gonna re-create it myself)

Edited by legend

Share this post


Link to post
Share on other sites

I know of another software that does something similar.  It allows non-admin users to be granted certain administrative tasks, but restrict others (think whitelist). The software I am familiar with does not rely on the local admin group for such tasks; that's just a terrible idea.  

Anyways, I'm not a fan of such software either.  It was WAY to easy for me to figure out how to launch another process from the first one with elevated rights.  It all comes down to implementation.

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

I would assume it is doing something a tad more legit than password scraping or passing the hash.

I think I have issue with the larger mentality that it is better to restrict users and give them an app that elevates them, rather than give them two sets of credentials and educating them about the usage and monitoring of the privileged authentication events. UAC is merely forcing you to have the discussion you should have been having with your users since forever.  

I would also want to limit test the length, because any process that launched from a process launched as administrator, can also carry that token.  So I could potentially launch something like cmd or powershell and persist my abilities?

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

Grabbing the hash or the clear text password would be shady, during the installation that requires admin rights. Im just not sure how else it should be possible to do it.

 

Edited by legend

Share this post


Link to post
Share on other sites

I don't believe it's "Grabbing" anything, rather creating an admin account during setup, or running as a service, or has a service helper.

Anyway, I'd be surprised if many corporate environments with a admin boss who has more than a couple of brain cells would employ this. You might as well just have all users admin with UAC enabled and ask them to run things as admin cautiously.

if you cannot trust your employees to be security competent, them allowing them only non admin is the only thing to do.

a competent admin should be installing any software they might need.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

If this software has found a way to gain admin rights in some way other than an entirely above board fashion, (which I'm sure some people think it does) I'm sure it would be patched by now, and if not, soon.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

stupid me for thinking they were grabbing the password, your post gives a lot more sense on how they probably did it.

Again, thank's a lot :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now