Page 1 of 5 12345>
Topic Options
#154040 - 2005-12-24 02:20 PM RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Would like to introduce a new command line tool called RUNNAS.EXE (two n's) - its available only at KORG and you can get it here:

RUNNAS - Tokenized Runas Utility

It works much like Microsoft's standard runas.exe except for a few important features:

1) You can specify a password on the command line

2) You can tokenize the command line into a file.

3) You can execute the tokenized file.

This software is at first release and should be considered as beta. Please post any comments, suggestions or bugs to this space.

Documentation:

Code:

RUNNAS 1.14

Allows a user to run specific tools and programs with different permissions
than the user's current logon provides.

Note: This version of runnas is not guaranteed to be compatible with the
previous version. Please re-tokenize your files for added security.


SYNTAX:

runnas /user:<username> command [/password:<password>] [/noprofile]
[/profile] [/env] [/netonly] [/logononly] [/wait] [/return]
[/title:<title>] [/tokenize:<tokenfile>] [/crc] [/allowargs]
[/<token>:<value>]

runnas tokenfile [/<token>:<value>] [/args:<arguments>] [/delete]


PARAMETERS:

/user <username> should be in form USER or DOMAIN\USER.
command Command line to run. See below for examples
/password The clear-text password for the user account. If not
specified, you will be prompted for the password.
/noprofile Specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile Specifies that the user's profile should be loaded.
This is the default.
/env To use current environment instead of the user's
/netonly Use if the credentials specified are for remote
access only.
/logononly Use if command is to be run during interactive logon only.
/wait Wait for the program to finish.
/return Return errorlevel of program. Use with /wait.
/title For console processes, this is the title displayed in the
title bar if a new console window is created.
/tokenize Tokenize command line into <tokenfile>.
/crc Calculate CRC (Cyclic Redundancy Check) of command
line executable and save it to <tokenfile>.
/allowargs Allow passing additional arguments to <tokenfile>.
tokenfile The name of a tokenized command line file.
/<token> Replace command line <token> with <value>.
/args Additional <arguments>. Valid only if tokenfile was
created with /allowargs switch.
/delete Delete tokenfile when done.


NOTE: Enter user's password when prompted.
NOTE: USER\DOMAIN is not compatible with /netonly.
NOTE: /profile is not compatible with /netonly.
NOTE: Most parameters can be shortened to 3 characters.


EXAMPLES:

> runnas /user:admin mmc
> runnas /user:admin "cmd /c dir c:\ & pause" /password:xxx

Create and execute a tokenfile:

> runnas /user:admin notepad.exe /password:xxx /tokenize:notepad.tok
> runnas notepad.tok

Pass quotes inside a quoted string (using \" metachar):

> runnas /user:admin "\"c:\program files\my app\app.exe\"" /pass:xxx

Pass arguments to a tokenfile:

> runnas /user:admin "notepad.exe" /pass:xxx /tok:notepad.tok /allowargs
> runnas notepad.tok /args:"file.txt"

Replace tokens in a tokenfile:

> runnas /user:admin "notepad.exe <p1>.<p2>" /pas:xxx /tok:notepad.tok
> runnas notepad.tok /p1:myfile /p2:txt


TERMS OF USE
------------

This software is provided "as is" and "with all faults". The author
makes no representations or warranties of any kind concerning the
quality, safety or suitabilty of the software, either express or
implied, including without limitation any implied warranties of
merchantability, or fitness for a particular purpose.



Top
#154041 - 2005-12-24 03:57 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Does this have anything to do with SANUR ( http://www.commandline.co.uk/sanur/ ) no longer being supported? Mind you, I don't recall SANUR obfuscating the password.

Do you do anything to check if the executable name matches the internal name in case someone tries renaming it in an attempt to elevate one's rights? Do you check its CRC?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154042 - 2005-12-24 04:20 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Hmmm... I should follow my own advice that I dish out.
Instead of asking, why not just try it? How hard can it be?

The answer is EASY! Sub in another proggy and it happily runs it! DOH!
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154043 - 2005-12-24 04:26 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
This has nothing to do with sanur or even runas for that matter. Its a simple stand-alone executable with zero dependencies. Does runas check for CRC etc ?
Top
#154044 - 2005-12-24 04:33 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
I have not played much with the MS RunAs. Does it have an option to save the commandline complete with password? What does the /SaveCred switch do?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154045 - 2005-12-24 09:01 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
New version 1.1 ... fixed some command line args and added the /wait switch ... that instructs runnas to wait for the program to finish, and return the errorlevel of the started program, for example:

runnas john.doe notepad /pass:xxxxxx /wait

-Shawn


Top
#154046 - 2005-12-24 09:32 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
SWEET Shawn. I like it so far.

Have tested it on accounts with non admin privledges and the application will run but won't access areas they're not allowed to.

Have used Admin rights with different account and it runs as expected too.

As per one of Les' questions. Maybe add some code to hash/crc check that the executable has not been modified to include even a rename of the exe.

I like the idea that the tokenize overwrites the previous entry, but using a switch would it be possible to chain a couple commands?

So far it ROCKS dude.

Will test some more on Monday at work. May have to take a look at some reverse engineering some to see how easily / difficult it might be to reverse the obfuscation.

But don't think I'll get that much computing time in the next couple days.

Top
#154047 - 2005-12-24 09:34 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Mabye some built-in RUN ONCE code too so that the tokenized file and / or EXE can / would delete it'self with a 3 pass wipe? LOL I know that's a lot to ask.
Top
#154048 - 2005-12-24 11:16 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Added the /delete switch when running a tokenized file. This will delete the token file when finished (thx NTDOC). Example:

runnas token.txt /delete

Top
#154049 - 2005-12-25 05:00 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
food for thought...
Microsoft Elevated Privileges Application Launcher
it fingerprints the exe
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154050 - 2005-12-26 04:29 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Shawn,
As long there remains the possibility that this utility can be misused to elevate one's rights, I will be on you like a dog on a postman's leg. There are way too many admins that will not think through all the security implications and unleash this utility with a tokenized file thinking that it is secure.

I don't mean to disparage DOC, but during an MSN chat, it became clear to me that he did not catch the drift of what I said in this thread and he is a smart person! In the interest of clarity, I will reiterate my concern.

When you create a tokenized file that will run AppA.exe with elevated rights, all the user needs to do is to replace AppA.exe with another app that has the same name, and it will run with the same elevated rights!
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154051 - 2005-12-26 04:57 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Was thinking... the UserID is saved in the tokenized file as the human readable name and not the SID of the account. This can be a good thing in the case of local accounts that would have different SIDs but I wonder if there may be a desire to force it to the SID instead? Maybe an optional /SID parm?

I cannot think right now of how someone might abuse this, but just because I'm paranoid, doesn't mean someone is NOT out to get me.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154052 - 2005-12-26 06:17 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Les,

Correct was not thinking of your concern. Was thinking more in the terms of a user making a copy of the file, renaming it and then using it on his/her system with copies of tokenized files until he/she was able to inject their own program, but your concern is actually much more likely.

I suppose I'm too used to analyzing from a more advanced level.

As for the UserID being in the tokenized file as plain text not sure where you saw that. I'm certainly not seeing anything like that here.

Well think Shawn has some good ideas about CRC checking the exectuable and if possible even the path.

Told him to also include some semi-legal disclaimers along with the utility and even inside the utility because you know sooner or later someone is going to try and abuse the tool on purpose like a butt-head. Just like they did with WSH - actually a nice tool but then the scripting kiddies thought it would be cool to damage people's stuff with it.
 

Top
#154053 - 2005-12-26 06:27 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Shawn I was unable to run network accounts with the password stored in the tokenized file. It prompts for the password.
Top
#154054 - 2005-12-26 07:05 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I'm coding in the CRC check and some other things ... the command line is starting to become a little "complex" ... will probably have to re-structure the command line args ... so until the next version come out ... lets re-try the network account thing then ... the tokenized file format will be changing then as well.
Top
#154055 - 2005-12-26 07:42 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
DOC,
Did not mean for you to infer that the UserID was stored in clear text cuz it ain't but the human readable form of it is what is tokenized, not the SID of the account.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154056 - 2005-12-26 07:46 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Shawn,
Since this util most likely will go through many iterations, there is a probability that the tokenized parm file will not always be backward compatible so I might suggest you write the version to the file and then check it at runtime.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154057 - 2005-12-26 08:23 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I agree Les but I think it would be easier (on me) if the the token file could remain in flux until this util stabilizes a bit. I always wondered why Ruud could (would) never keep the Kixtart tokenized file versioned - now I understand why.
Top
#154058 - 2005-12-26 09:17 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Okay it may be a command line parsing issue because I can get some tasks to run using network credentials.

As for the algorithm for the obfuscation it is not a basic number flipping routine and the average desktop user will not be reverse engineering it. That is not to say that someone with more advanced computer skills that takes on the task of trying to beat it won't figure it out in time.
And one could also run this through an advanced debugger and extract the code.

As with any tool like this, caution should be used when and where used.
 

Top
#154059 - 2005-12-27 06:13 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
New version with fix in regards to specifying domain accounts. Added the /user switch to make it more compatible with microsoft runas.
Top
Page 1 of 5 12345>


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 346 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.07 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org