Tools that allow one to run a program as other user without giving password each time

Discussion in 'other security issues & news' started by MrBrian, Mar 7, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I am looking for programs that allow one to run a given program as a different user account without supplying the account password each time. Why might one want to do this? Some scenarios: 1) Start a given program as admin while running as standard user 2) Allow a standard user to run a given program as admin without ever giving the user the admin password 3) Start a given program under a user account that is even more limited than a standard user account (an approach for this is given at https://www.wilderssecurity.com/showpost.php?p=1559091&postcount=39)

    Here are the programs I've found so far:
    a) Steel RunAs - v1.2 is the last freeware version; latest version is shareware
    b) CPAU
    c) RunitAs
    d) RUNASSPC
    e) Encrypted RunAs - not free

    One feature to look for is whether the program obfuscates the provided credentials to prevent roving eyes from seeing it.

    I plan to try Steel RunAs v1.2, which is still available, although not at the author's site.

    If anybody knows of any other tools or techniques, please tell.
     
  2. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    You could try AutoIt_v3 and compile an exe- i think it uses a packer
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: Tools that allow one to run a program as other user without giving password each

    It has been some time now since I was looking into this, but as I recall there was no real nice way to get XP runas to work with a password provided, it always prompts. I believe maybe vista/7 has changed this, but I have not looked into it.

    I made a tool somewhere that you enter in the username/pw and it encrypts it to an .ini file, then will RunAs that user. If you would like I can dig it up and revisit it.

    I have used CPAU and it does work. I just liked to have it encrypted. SuRun had a link somewhere to a test to see if you pass a username/pw if it can be detected. Most methods can be detected (in other words you can retrieve the uname/pw, in a malicous way) but SuRun is effective to stop this. I was happy to see that my encyrption method also was effective to stop this.

    There are a few options you could use to get around this issue really.

    Sul.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you all for the suggestions.

    Here are some more related tools that I found:
    ADVrunas - not free
    BytesRoad SafeLauncher - not free
    Impersonator - not free
    Lsrunas
    Lsrunase - not free
    MyRunAs
    TqcRunas - not free
    RunAs Professional - not free

    I still plan to try Steel RunAs v1.2 first, and if that doesn't work out then I'll look into other tools mentioned in this thread. I found v1.2 at the "Server 2" link at http://www.freewarefiles.com/downloads_counter.php?programid=26832.

    CPAU, from what I have read, apparently has problems in Vista or later.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Try securerunner http://download.cnet.com/Secure-Runner/3000-2094_4-10809519.html

    It encrypts admin password. I have it installed for use in my admin account only.

    Steps
    1. Add admin account password
    2. Add programs allowed to run as admin
    3. Start service
    4, Add quick links/shortcuts for a specific user (it only sees menu start, quick start, but yoy move them later)
    5. Reboot


    Since it is old software I would make a image copy before trying.
    Regards Kees
     
    Last edited: Mar 9, 2010
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here are my experiences with the tools that I've tested so far (on Win 7 x64):

    a) Steel RunAs v1.2
    Pros: target program hash check will prevent launching of targets that have changed; uses no services; generates encrypted credential file in .exe format, and thus isn't necessary to install Steel RunAs on target machine; different credentials can be used in different encrypted credential files
    Cons: because target hash check is mandatory, when the target changes, will have to regenerate the encrypted credential file; latest version isn't freeware anymore; security isn't top notch because the credentials are embedded within encrypted credential file and at some point will exist unencrypted in memory that the target user has read access to; have to specify credentials for every encrypted credential file created
    Evaluation: maybe will keep it around for one-time target program usage scenarios but will not be my primary tool because of the mandatory target hash check

    b) RunasSpc v2.08
    Pros: hash check on target program is option that can be turned on or off; uses no services; can pass credentials in the clear if you don't want to use encrypted credential file; different credentials can be used in different encrypted credential files
    Cons: use of non-executable encrypted credential file requires RunasSpc to be present on target system; brief presence of command window while launching programs is noticeable; security isn't top notch because the credentials are embedded within encrypted credential file and at some point will exist unencrypted in memory that the target user has read access to; have to specify credentials for every encrypted credential file created
    Evaluation: may be my primary tool
    Note: the /quiet switch is useful and isn't a default

    c) Secure-Runner v0.5 (Hat tip to Kees for the suggestion)
    Pros: no hash check of target program (which can be good or bad); security of solution may be good, because it's claimed that a limited user cannot read encrypted credentials; has option to replace existing start menu shortcuts, which makes administration quick and easy; have to provide credentials only once
    Cons: no hash check of target program (which can be good or bad); uses a service; there is something strange going on in how a launched program runs, because I noticed differences in the launched program's info in task manager (no info present for some items, such as user name), and also experienced unacceptably large slowdowns in the launched program's file dialog boxes; start menu shortcuts that appear on all user accounts are not listed and thus can't be replaced from within Secure-Runner; can use only one credential
    Evaluation: is promising and would like to use it as primary tool but the strange process issue noted above and also lack of start menu shortcuts for all users keep me from using it

    d) RunItAs v1.0
    Pros: no hash check of target program (which can be good or bad); uses no services; different credentials can be used in different encrypted credential files
    Cons: no hash check of target program (which can be good or bad); use of non-executable encrypted credential file requires RunItAs to be present on target system; security isn't top notch because the credentials are embedded within encrypted credential file and at some point will exist unencrypted in memory that the target user has access to; have to specify credentials for every encrypted credential file created; generated shortcuts point to wrong RunItAs program folder on Win 7 x64 due to path hardcoding; RunItAs executable causes UAC elevation prompt, which is bad because RunItAs is run on every target program launch
    Evaluation: I may use this as my primary tool, if the UAC elevation prompt for RunItAs can be suppressed (using techniques which I have read about but not tried yet)

    e) SuperExec v3.0.1.237
    Note: SuperExec is somewhat similar to Secure-Runner. I would like to have tried it more, but SuperExec stopped responding every time a target program was launched.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Note to Vista and above users: providing admin credentials with these tools allows you to avoid UAC prompts for launched programs run with admin credentials! :D
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You tested that with Steel Run AS?

    Would be great, I will try to use it on CCleaner on my brother in law's Windows 7
    (have to rename CCleaner and replace the exe in the original directory)

    I like steel run-as also, you only need an icon extractor to add the correct icons
    :thumb:


    There is one down side, programs which update themselves (like Hitman Pro) change their CRC also
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, the UAC prompts are bypassed with all of these tools, except for RunItAs, because RunItAs itself needs to elevate (why RunItAs needs to do so is an issue that I didn't explore).
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That's why I don't plan on using Steel RunAs as my primary tool.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: Tools that allow one to run a program as other user without giving password each

    Is it not the concern using RunAs tools that when passed the credentials, a malicious entity could capture them? I believe that was an article of contention put forth by SuRun somewhere. So for top notch security, you would want one that achieves this. Providing of course that is a concern to you...

    Sul.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Tools that allow one to run a program as other user without giving password each

    Yep, but some of them (the ones I tried) either encrypt the password and limit the target user (Sucure Runner) or create an executable which uses an algorithme to has the password with teh CRC value of the target file (Steel Run-As).

    Secure Runner really encrypts, so that is 'safe'. Steel Run-As could theoretically be reversed engineered to understand how the CRC of the target executable is used to obfuscate the password. Still you need the determine algorithme and the location of the target executable. This is two spades deep boundery in combination with the deny execute SRP of the LUA user makes it safe enough for me (having the comfort of Admin access).
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Re: Tools that allow one to run a program as other user without giving password each

    Yes it would be a concern for most of the above tools, because the credentials, at time of target program launch, need to be decrypted (if they are encrypted) in order to be passed on, I assume. I don't think it would be a concern for Secure-Runner though because I assume the decryption and passing is taking place in Secure-Runner's service.
     
    Last edited: Mar 10, 2010
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A note about RUNASSPC: during target program startup, you can avoid the brief presence of the RUNASSPC window by specifying that RUNASSPC starts minimized in a shortcut to RUNASSPC that launches a target program.
     
    Last edited: Mar 11, 2010
Loading...
Thread Status:
Not open for further replies.