File ACL Vulnerability Part 2

In this post, I will attempt to explain and expand on what I talked about in my previous post on File ACL Vulnerability.

ACL - Access Control List

What I previously described applied to Windows.  But the concept and similar attacks could be made against any operating system that allows more than one user to log on and off of the system.  There is a pretty descriptive article on Linux File ACL at UNC's website https://www.cs.unc.edu/cgi-bin/howto?howto=linux-file-acls.  Or check out the generic MSDN Windows ACL article at https://msdn.microsoft.com/en-us/library/ms229742.aspx.

Expanding on the scenario discussed in my previous File ACL post, the problem extends to more than just executables with "bad" ACLs.  At CanSecWest 2008, Sun Bing discussed a vulnerability in VMWare where the configuration file has a bad ACL.  Coincidentally the configuration file also contained the location to one of the service exes.  A regular user then can modify this configuration file and get admin privilege when the admin runs VMWare.  The exactly details of the attack escapes me at the moment, but the problem was fixed prior to Bing's talk.