Shattering Windows

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

Someone discovered Windows is insecure.

[SpanishInquisition]

Film at 11

Re:Someone discovered Windows is insecure.

Oh fuck Signal 11 is back.

+5 for this shit?

Welcome home lover, k5 really is boring.

Re:Someone discovered Windows is insecure.

[tabby]

Court case at 11

Re:Someone discovered Windows is insecure.

[langed]

Hello and welcome to /. News! It's now 11pm!

This article, referenced in the M$ email in the article, points to 10 points on security.

• Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
• So, unless I run Linux or BSD or some other OS, "Uncle Bill" owns my computer! Yay...
• Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
• For the sake of this argument, assume Microsoft is a "bad guy". So, if I run some operating system (say, MacOS or Solaris) and it runs IE and supports DirectX, and DirectX is used to execute code to write to some important files in the System Folder, then I've lost possession of my computer.
• 
  Or what if some administrator is feeling a little frazzled and puts up something malicious on windowsupdate.com?
• Law #4: If you allow a bad guy to upload programs to your web site, it's not your web site any more.
• Remind me again about that <INPUT TYPE="file"> form submission tag, and why it should ever be used? Or implemented in the first place? I can just see somebody using IIS and having a form for uploading files getting compromised because he/she received an infected program or a trojan.

I wonder if they should have considered this last law before pulling their maneuvers:

• Law #9: Absolute anonymity isn't practical, in real life or on the web.

They knew we'd all find out, right? :)

I could see some extreme potential for anti-M$ FUD here. Or at the very least, some obnoxious lambasting with cold facts!

Re:Someone discovered Windows is insecure.

[ichimunki]

In #4, you're missing an end italic tag somewhere I think... but either way your point is not well made, and for once MS says something intelligent. They just don't say it very well.

The INPUT/file tag is fine. It *should* be implemented. How the heck am I going to submit files via web form without it? Only the truly fool-hardy would execute those uploads on the server though. And in that same vein, those files should *never* be stored with executable permissions.

Re:Someone discovered Windows is insecure.

[DickBreath]

>>Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
>So, unless I run Linux or BSD or some other OS, "Uncle Bill" owns my computer!

Soon you won't be able to run Linux or BSD. Since the bad guy seems to be having less and less success "persuading" people to run his evil program, he has to find other means to make your computer into his computer. Best way to do this: subvert the hardware. (i.e. Palladium)

Re:Someone discovered Windows is insecure.

[DickBreath]

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

Isn't this referred to as Windows Update? (You know, where a bug fix or security patch is used as a weapon or extortion to coerce you into giving unsupervised remote root access to your comptuer in the future, permission to disable other software, etc.)

When I was in school, (a long time ago in a galaxy far far away..., when I saw Star Wars 37 times my first semester, and we're talking first release) there was a policy about computer abuse. One of the things I recall it mentioning was that unsupervised remote private access to a computer tends to invite a certian level of abuse.

Re:Someone discovered Windows is insecure.

[langed]

Indeed. I thought WindowsUpdate was a little too obvious and easy. The same goes for the alleged "callback" in winXP, because both of these examples already takes away your possession of your computer by Law #1. After all, if you assume M$ is a "bad guy" and you run their OS, then you've already lost possession.

QED, or something like that.

Re:Someone discovered Windows is insecure.

[langed]

Yep. I missed the tag. When doing the preview, I was more interested in making that tag look right than proofreading that particular bulleted item.

As for the file tag, if it's a standard, okay... Well, a little experimenting shows that Netscape Communicator renders it okay, but it doesn't appear to function.

But my point was meant thusly:
Thousands of machines on the 'net are running IIS and the owners/operators are not aware of it because it was installed by default. The same goes for PWS (the Personal Web Server) on win9x. Now, suppose that we have a form on said Windows box, placed by the default installation or some cracker. And websurfers find the box, either by a link on the page by the original cracker, or by a search engine hit. Finally the surfing user submits a file that is infected.

Sounds contrived, I know, but where there's a will... Look at it this way:
John Q. Cracker gets a two-week notice of his termination. He noted long ago that PWS is installed on his win98 workstation, but it had never been used. So he simply drops a registry key in and points it to some directory publicly accessible via the webserver. He also puts in a short, simple form with a file tag, and a dummy executable to prevent an error on startup. In so doing, he has effectively created a backdoor for himself.
Now, when he's gone home and gone on to another job, he can then upload some program or other (say, a windows telnet server, or packet sniffer) via the form, and waits. Once that windows box is rebooted, he has access to his old box at his former workplace. With no logging functionality, the Windows box can't reliably indicate that he did this or when, and certainly can't provide proof that John was the one who did it. Thus he now has access to the network of the old workplace, to launch attacks, to retrieve information, for corporate espionage, etc. And the only recourse the former employ has is to reinstall windows on the machine--if they ever find out it was compromised.

This could be prevented if the WinXX OSes had specific file permissions to prevent execution, but I'm quite certain that win9x does not, and I'm fairly confident that NT,2k,XP don't either. (Well, technically files marked "System" can't be executed trivially, but this is an antiquated kludge and isn't used for much of anything these days--and since "system" files appear to be hidden from the casual user, it wouldn't be particularly useful for a webserver to set the system attribute on a file to prevent its execution.)
So it's not really the point that the foolhardy would do it and others would not. It's more the point that *it can be done*, and with minimal effort; that should be prevented. Disabling the "file" tag would be a possible barrier to prevent it.
As long as we have Windows machines running webservers, we have no line of defense against this simple intrusion example...Unless the next version of windows supports a filesystem with ownership and permissions at least as comprehensive as the average unix-based OS. NT on ext2 would be a step up--in security, if not performance. (Heck, then they could get rid of the disk defragmenter too! Consider the millions of users who've never discovered or used the defragmenter...)

And on a more personal note.... I've nearly been thrown out of my university on numerous occasions because I happened to use some tool or other in a fashion other than it was intended, and demonstrated an exploit. The sysadmins reported me repeatedly and I've gone through expulsion hearings, even though I reported my findings to the admins. I was, at the time, of the opinion that they should thank me for pointing out a problem. They saw me as a threat that should be closely monitored to gather evidence, and then eliminated. So you see, prevention is an ideal we strive for....

HTH. HAND. :)

Re:Someone discovered Windows is insecure.

[ichimunki]

I didn't intend to imply that anyone should use a Microsoft product when perfectly good alternatives are available. However, their advice in this case is sound... the problem is not with the HTML standard though, which you seemed to be saying. Unless your web site needs the ability to accept files, this option *should* be turned off at the server. And if you are writing Perl/CGI you probably want to consider using CGI::Safe, which will turn this off as a default, and provides some assistance in preventing certain overruns as well.

And to further defend MS (and I'm not happy to be doing so at all), on Windows 2000 (which I use at work, and not really by choice at this point) each file appears to have permissions settings for "Full Control", "Modify", "Read", "Read & Execute", and "Write". Additionally, folders/directories have a "List Folder Contents" item. All of these appear to be controllable (accept or deny) at the user level. I have never worked with this, though, so I don't know how it looks in practice. But on the surface it seems very similar to Unix-style permissions-- in fact, it might be something of an improvement.

I'm not sure how any of your example situations are problems for me or my machines, except that there do seem to be a number of compromised MS hosts out in the wild. That the people who choose Microsoft technology then find themselves unable to securely manage such technology (which is basically the generic situation you've posited) is, to me, almost poetic justice.

I am sorry to hear that your independent security auditing got you into so much trouble at school. Schools are notoriously difficult places when they think their policies have been violated-- and often their policies are senseless, arbitrary, and designed for either the lowest common denominator or to please some vocal special interest.

Jeez

[roguerez]

That's really OLD. Like >15 years or so. It's not comparable at all to X-Windows where the clients run on a multi-user system.

Re:Jeez

Actually X doesn't care where the clients come from. This is a similar situation to X events. However X11 is more secure because you can tell when an event is synthetic (made by another client) rather than one generated by the trusted server. However, you can't tell which client made the event... there is no ownership or authentication scheme for events. However you can deny clients the ability to connect to the server even if they are on the same system (MIT magic cookies).

Re:Jeez

[roguerez]

Perhaps I wasn't clear. What you are saying is not my point. I mean that when you're using Windows, all Windows are yours by definition, since it isn't really multi-user, so the 'vulnerability' point is moot.

Re:Jeez

[Newander]

The windows aren't yours by definition because if you're an unpriviledged user, and Virus Scan(from the article) is running as a priviledged user, you can hi-jack that widow and execute arbitrary code(as stated in the article).

take a look at inetmib2.dll

[jrexilius]

another flawed API that is not fixable..

Re:take a look at inetmib2.dll

i looked at it, and got a spider-man boner. give me more!

Isn't this in the EULA anyway?

[Dynamoo]

"Essentially, they allow you to take control of any window on your desktop".. sounds like it's straight out of Microsoft's new EULAs.

Re:Isn't this in the EULA anyway?

[MaggieL]

And note the observation in the reply from MSFT:

"In our essay,the "Ten Immutable Laws of Security", these are Law #1-- 'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore'".

Of course, MSFT isn't a "bad guy"...oh, wait... they were convicted, weren't they?

I guess if you apply XP SP1 it's not your computer anymore...

Re:Isn't this in the EULA anyway?

[kavau]

You're right: It's not a bug, it's a feature!

Take control?

[Corvaith]

Does that mean that you could make them all stop crashing? Please?

I'm on reboot #26 today. And this with the supposedly stable Windows XP. Trustworthy computing--I can't even trust it to /run/. I have no illusions about it being secure.

Re:Take control?

[Moridineas]

Why on earth is it crashing? Check your event logs. That should NOT be happening--sounds for sure like a hardware failure.

Here's the output from the "systeminfo" command on my work computer fyi:

Original Install Date: 3/15/2002, 11:24:37 AM
System Up Time: 60 Days, 6 Hours, 36 Minutes, 21 Seconds

Re:Take control?

You must be so full of shit that its oozing out of your ears. I have been running XP since early beta days and Ive only had to reboot due to a crash 1 time and the core OS didnt actually crash it was a DirectX game crash and the desktop wouldnt recover. I attribute this to a combination of a bug in the game and a bug in the display drivers because I have had the game crash since then but with newer drivers and it recovers fine.

Re:Take control?

[Tassleman]

You're either full of shit or have some bad hardware in your box. Alternatively, you could just be incompetent or want to join in on the MS bashing with all the others. Either way, BS.

Re:Take control?

[Stonehand]

How the hell is the parent post "Redundant"? Is a moderator simply so narrow-minded as to want to slap-down any post which posits an explanation why a system might seem incredibly unstable instead of assuming that it's always Microsoft?

And yes, if it's crashing 26 times in a day, the obvious suspects are (a) bad hardware, (b) severe misconfiguration caused by manually editing the registry, mangling system files, et al, (c) worms, trojans and viruses, (d) a VERY badly written OS (and WinXP != DOS or Win9X...).

Re:Take control?

I wondered where all my bad luck went today... I've only had to rebood 4 times.

Re:Take control?

Wow! If it works for your system then anyone else who it doesn't work for must be a liar!

Jerk. (it crashes for me too)

Re:Take control?

[Steve+Franklin]

Depends on what you mean by "bad hardware." If you mean hardware that XP hasn't been well designed for, you may be right. I have had similar problems, specifically, an external serial modem that XP loses track of when I reboot, and a SCSI card it intermittently loses the driver for. I haven't had the kind of constant crashing I had with 98SE--but considering how long this series of OSes has been around, that's not saying very much--and I do have to reboot every now and then because it loses track of the location of the IP address server. Don't even get me started on why they rewrote the USB part of the OS so every USB equipment manufacturer had to extensively rewrite their drivers.

Get back under your bridge.

Re:Take control?

[MORTAR_COMBAT!]

completely agree. nearly ever XP and 2K blue screen i had was due to:

1) faulty hardware, e.g., bad memory chip
2) incredibly bad driver (which admittedly shouldn't crash the OS... but that's another discussion)
3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

Re:Take control?

bah. thats nothing.
check mine out.
Original Install Date: 2/1/2000, 01:42:37 PM
System Up Time: 700 Days, 8 Hours, 4 Minutes, 15 Seconds
C:\> ver

Windows 98 [Version 4.10.2222]

Re:Take control?

[Archfeld]

Man it must be nice being omnipotent. There are numerous reasons for this, maybe it was just one of the 20% of M$ boxes that improperly install for no apparent reason. Personally I kind of like WIN2k (*ducks*), but there are loads of issues that can cause the system to be very unstable, from OEM patch problems, to software driver incompatabilities, to of course as you mentioned an Ignoranus running the machine. I've seen disk rom cause XP to fail when trying to write a full buffer, which took more than 2 months to surface, and many hours of tracking down.

Re:Take control?

[crunnluadh]

Get real. 26 crashes a day is not even anywhere close to being the truth. I run Linux, *BSD, and various windows and never have I had any of them crash more than 5 times a day. Even then it was a faulty app or hardware. Troll!

Re:Take control?

At least MS Office will let you set the autosave feature to run every 60 seconds.

I've still crashed it three times in a row before the autosave ran once. Way to go!

Re:Take control?

Wow, 60 days of uptime! I'm seriously concerned for your system as you are probably missing the last dozen or so security fixes.

Re:Take control?

Maybe I'm wrong, but isn't 3/15/2002 + 60 days something less than AUGUST 6th???

Either someone's 1)trolling/lying or 2)doesn't know how to set the system clock.

-JT

Re:Take control?

[1010011010]

Every blue screen on win2k pro I've ever had was a direct result of an ISAPI filter apparently crashing the kernel.

I'm not kidding. I was developing the filter, and in its early stages, it had memory leaks, dangling pointers, double free()s, etc. Blue screens! By killing the web server! Wow!

Re:Take control?

[MORTAR_COMBAT!]

Every blue screen on win2k pro I've ever had was a direct result of an ISAPI filter apparently crashing the kernel.

your first mistake was using a kernel-privileged web server (IIS).

I was developing the filter, and in its early stages, it had memory leaks, dangling pointers, double free()s, etc.

your second mistake was writing bad code.

but i'll agree that writing bad code shouldn't crash the OS. but when you're developing on windows, that's the modus operandi (sp?). but who am i to kvetch? i learned my C code on UNIX, where i got segmentation faults, bus errors, all kinds of evil crap, and the program terminated, and the OS chugged along.

but try playing a bit with framebuffer programming on linux, and see how fast you bring down the OS :)

Re:Take control?

60 days? That is astroturfing. The NT kernel had a 52 day rollover problem.

Re:Take control?

Nearly every leaky roof was due to rain!!!!!!!!!

Re:Take control?

[dangermouse]

Pray tell, how are points 2 and 3 separate discussions? Windows XP is an operating system, ostensibly. If it lets applications throw it to the ground whenever they feel like it, then it has a serious stability problem. "But it's the apps!" is a lousy defense, since running the apps is the whole point.

This is not a commentary on XP's stability. I wouldn't know (and I have trouble believing 26 re boots in a day... that's insane). I just find your argument a little bit disingenuous.

Re:Take control?

This reminds me of the claims by Win95 users that their machines had uptimes in months... only later did we discover the timer bug, which crashed the machine after 49 days. So, all the Win95 users claiming "months" of uptime were lying through their teeth.
From http://www.bugtoaster.com/dw15/Reports/OperatingSy stems.asp
Windows XP 5.1.2600 1717 28921
Which figures out to about 17 crashes per box during the reporting period. W2K reports about 13 crashes. W2k reports 18.7 crashes. So, XP not much better than the rest of its clan.

Re:Take control?

[JebusIsLord]

on 98? ahem, *COUbullshitGH*

Re:Take control?

Must be a bug in systeminfo

Re:Take control?

[Moonshadow]

No, his first mistake was running IIS.

The second was running an internet-visible server on Windows.

*shudder*

I'm a big fan of Windows workstations. They let you work quickly and get the stuff done that needs to be done. However, the need for user friendliness isn't there with servers. A server should be run and maintained by someone who knows what they're doing, both in the arenas of security and optimization. Running a webserver on Windows is somewhat indicitive of a lack of both.

I in no way, shape, or form advocate, condone, or approve of Windows servers. Not good.

Re:Take control?

[DevNull+Ogre]

I'm not a Windoze expert, but, I'm guessing that device drivers run in kernel space, whereas apps run in user space. It's understandable that something in kernel space can take down the system. Device drivers have a higher standard to meet than regular apps. It is, however, never even kind of okay for something in user space to be able to take down the system.

Re:Take control?

What the hell? This guy gets moderated UP? I can't fucking believe it. Moderators must have turned over a new leaf-- no wait, the fag Linux/X11/free software overzealous moderators ran out of points and have been replaced with GOOD moderators!

Re:Take control?

[t0ny]

well, when you run a packard bell with $15 memory chips that you bought from some guy at a bus stop, its hardly Microsoft's fault. Methinks your problem lies with your shitty hardware.

Re:Take control?

[t0ny]

we arent saying you are a moron. We are just saying that you are PROBABLY a moron. Anyone who cant set up a stable Win2k box must have a hole in their head. You are either a troll, a habitual complainer, or a completely incompetitant computer user. Or most likely all of the above.

Re:Take control?

[AvitarX]

If you could in properly configured setup with good hardware make even WIN95 or DOS crash 26 times a day, I would be very impressed.

Unless you count letting crappy software crash the OS as an OS problem.

I used DOS for autocad and still do sometimes (version 12), and it is very stable, even when running a TSR cd player in the background.

Re:Take control?

[TurdFurgeson]

so what you are trying to tell us is that you are a loser?

Re:Take control?

Here's my info:
System information for \\MYMACHINE:
Uptime: 23 days, 4 hours, 34 minutes, 30 seconds
Kernel version: Microsoft Windows 2000, Uniprocessor Free
Product type: Professional

I normally reboot every 2 months.

Re:Take control?

[Cuthalion]

It's not really fair to say that the OS can prevent bad drivers from crashing the system - there are many cases in which misprogramming the hardware will cause problems that the OS can't reasonablly avoid. For instance, lots of DMA or bus-mastering devices don't know about the memory virtualization, so they work in the space of physical addresses, without protection.

Re:Take control?

[jsse]

Glad you said 'nearly'.

One of our 2K server went blue after migrating to Athlon-MP. We had similar experience migrating NT to different hardware platforms.

And the hardware in question are hardly faulty. Well, is it our fault to migrate system to new hardware in the first place? I don't know.

Re:Take control?

You guys are such fucking trolls. IIS isn't kernel level until IIS6 which ships in .NET enterprise server NOT XP.

Spreading lies doesn't help you it just makes you look like fucking losers.

Re:Take control?

[jpmorgan]

Why shouldn't bad drivers crash Windows? They crash pretty much every other OS. My computer (which is 100% Linux) crashes sometimes due to a bad webcam driver.

Re:Take control?

[Chexsum]

...both in the arenas of security and optimization.

I cant comment too much about IIS but I have developed ASAPI with IIS and thought it was very optimized. Flame me if I am wrong but I think ISAPI is an optimized technology (my book certainly said so and I understood it as being optimized).

Re:Take control?

[Reziac]

If I had to reboot 26 times in a *year*, I'd wonder WTF was wrong with my box. That said... when I first installed WinXP, it had (count them) *30* logged background crashes in the first six hours of operation, only two of which were presented to me as visible events. (Don't blame my hardware, that same machine dual boots WinME which has not crashed ONCE in almost two years now. An identical machine runs Win98 24/7 for weeks at a crack, and *never* crashes.) After the HD took a crap and was replaced, I had to reinstall XP.. this time it installed 600mb more files in \system (wtf??!) and has had a grand total of two background crashes (logged but not user-visible).

Anyway, occurs to me that if this guy's system has something screwy, like bad RAM or a buggy CPU or a crappy chipset, could well be that background crashes (normally disposed of transparently by XP) are being expressed as BSODs instead. (I *have* wondered what these background crashes do to memory, tho..)

I have four active WinBoxen -- the two above and two Win95 systems -- and I doubt if they've had 26 crashes in their combined total lifetimes, even tho WinME and the older Win95 box (which has *never* crashed in the year or so I've had it) are used to test every sort of crap. Amazing what sound hardware and drivers (and NOT installing M$Office, which is Windows' worst enemy!!) does for stability. :)

Re:Take control?

[Moridineas]

Please read the post before trolling--3/15 was the original install date.

Re:Take control?

[Chexsum]

700 dayes without installing any programs and having to reboot to update the registry (or whatever happens)? Impressive.

Re:Take control?

[1010011010]

your second mistake was writing bad code.

Uh-huh. STFU -- I suppose that all of your early code in a new project is perfect. Are you really serious?

After all, now that I'm finished with it, it works, no memory leaks, crashes or anything -- running on production NT and Win2k servers (pays the bills, even though I want to gnaw my hands off some days) for about six months now.

But, of course, I am a total moron for doing a double free() anywhere, ever, regardless, right?

Gone are those heady days when you had to be REALLY CAREFUL, or your application could hose the whole operating system and crash the computer. Ah, those thrilling days of Windows 1.x, 2,x, 3.x, 9x, 2000, er... yeah, where you make any little mistake with memory, or locks, or pointers, and you're watching the BIOS POST again... uh-huh...

I didn't think that any part of IIS was part of the kernel in Win2k. But I have trouble explaining why a bad pointer access in an ISAPI filter blue screens the OS, other than... there's some kernel stuff happening there! I wonder if the buffer and ISAPI filter gets handed is kernel memory...

Re:Take control?

[ScottKin]

So, you just blithely moved your NT install from one PC platform to another, without re-installing? If I'm reading your post wrong, please ignore the advise below.

If you *did* do what I surmised above, I take it that you've never heard of NT's Hardware Abstraction Layer (HAL)?

If you move your installed and functioning NT Harddrives, etc to a new hardware platform, be prepared for continual BSOD's - the HAL provides a uniform set of hardware interfaces to the OS kernel and services - and there are differences enough in motherboards and CPUs that simply moving your HD's to a new mobo and CPU will cause you nothing but pain until you COMPLETELY RE-INSTALL NT/Win2K.

ScottKin

Re:Take control?

[Sj0]

Yes, DOS is very stable by itself(who has ever seen a C prompt stop responding for no reason?), because there is so fraggin' little to it! Basically, it gives the coders disk access, XMS and EMS, and jumps out of the programmers way.

That's the reason I like programming for DOS, incidently, :)

mmmmmmmmmm....real-mode... :P

Re:Take control?

[Mandelbrute]

3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

Hey, I wouldn't call explorer.exe incredibly bad - but it certainly does seem to crash a lot on XP - even when it is the only thing running. At least most of the time it doesn't bring the sytem down entirely (can still give the three fingered salute and run apps from there).

Win2k was very happy on this hardware - XP is crashing four or five times daily - with purely MS applications and the most recent drivers.

Re:Take control?

Uninstall all of Microsofts "fixes" and your machine should work like a charm.

Re:Take control?

I call bullshit, liar.

I know /. is the bastion of the FREE OS, but don't frickin lie about XP. In the entire time I have had XP (since BETA2) I have seen it crash 3 times. Oh, and my Win2K box has over 210 days of system uptime.

Geez, the lengths some people will go to to bash a MS product.

Re:Take control?

Right out of the box XP works great.
I updated XP via Windows update and everything went to hell.
I removed all of the critical updates and bug fixes and
I haven't had a problem sense then.
specs:

Duron 750 / Fic AZ11
(I know I know. It was dirt cheap)
Geforce 3

Re:Take control?

[(outer-limits)]

Troll for this. I have suddenly had the same problem. An XP system that was reasonably stable, if very slow to boot up, suddenly blue screens all over the place, with various error message such as IRQL_LESS and something about POOL memory being release twice. It wouldn't even run in safe mode. Tried booting it up with the rollback to last stable configuration option, and it appeared to become stable again. Thought it was a hardware problem it was so bad. Perhaps one of those patches it downloads for you was a dud. Anyway, Can't say the previous post was a troll based on my own experiences.

Re:Take control?

I suppose that all of your early code in a new project is perfect. Are you really serious? re-read his post. he said they weren't. the point he was making was the writing bade code shouldn't bring down the OS. don't be so damn defensive that you can't read the words in front of you.

Re:Take control?

[hype7]

3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

and there I was thinking Microsoft Excel was their only decent product :)

-- james

Re:Take control?

[uchian]

Unless you count letting crappy software crash the OS as an OS problem.

Well crappy software crashing the OS is an OS problem. If you mean crappy drivers crashing the OS, then that would be different.

However, I have easily crashed Windows 9x > 30 times a day. It's very easy - just try and debug an application with a particularly type of bad pointer reference in it which you accidentally create every so often. Your computer is almost guaranteed to crash in less than 10 minutes of running the debugger.

Re:Take control?

Yeah, that's why my NT 4 server has been running for over two years. It's not running IIS mind you, but it does not seem to be core dumping every 52 days. In fact, it has only crashed once ever, and that was because of a hard disk failure.

Re:Take control?

Buddy I am running XP and I haven't had anything crash in months. Maybe if you start running well written windows software instead of poorly ported GTK apps you would enjoy the same stability that I do.

Re:Take control?

I do have to reboot every now and then because it loses track of the location of the IP address server.

I have had exactly the opposite. My XP box renews an IP from my ISP every time without a problem, my other boxes running 98 and Linux had continual problems obtaining an IP address.

Besides, have you ever heard of 'ipconfig /renew'? It's some of that fancy new Windows technology

Re:Take control?

[Jondor]

> However, the need for user friendliness isn't there with servers.

This, of course, is not true. Servers also have to be maintained by mortals. Userfriendliness is always needed. BUT: servers are supposed to have an other kind of user though and as result an other kind of friendliness. Basicly, server admins are supposed to have a clue and a well documented text config file is a wonder of friendliness as far as I'm concerned. I can use search, search and replace, spellcheckers, grep, etc. etc.

Re:Take control?

It's so optimized, it doesn't bother to provide an event to tell the filter that it has all of the data. -- the filter has to read content-length, cross its fingers, and hope.

Re:Take control?

[Steve+Franklin]

Actually, I have, and it doesn't work. From what I've read on Usenet, it doesn't seem to work for anybody else, either. Just more useless "Windows technology." I did notice that the losing-the-modem problem didn't happen when I accidentally hit the reset button instead of the fan speed control and it rebooted after checking the file structure. Windows is still as quirky as ever. The quirkiness is just more deeply buried now. Now if it would just STAY buried.... ;o) Maybe I could try driving a stake through its heart. :O)

Re:Take control?

[Old+Wolf]

Troll - win98 counts its uptime as milliseconds, so it can't report an uptime of over 2^32 milliseconds (less than 2 months)

Re:Take control?

[prestidigital]

I'm no MS basher, but I have experiences similar to all those who are saying XP performance and reliability seem to be degrading w/ each new update. At first the problem was that my Athlon processor was overheating, but now I'm running around 80-84F (26-29C). That should be cool enough, right? Why am I still getting the BSoD even while just running the desktop? My system startup time is also take MUCH longer (and that was one of the things XP was supposed to be so great about). Based on your experience, it seems possible to configure a stable system. So, what's your secret?

Re:Take control?

[MORTAR_COMBAT!]

thank you.

Re:Take control?

[MORTAR_COMBAT!]

i guarantee that when you're using IIS on Win2K, many of the messages get tied up in the kernel. hence the BSODs you get using bad filters on IIS. otherwise, the bad code would just halt IIS, now wouldn't it?

Re:Take control?

[Moonshadow]

Precisely. I didn't mean to indicate that servers should have all their code and configs written by the admin in the machine code. I simply meant that the "candy" glossing and Microsoft "think for you"-ishness isn't needed on a server. Greater ease of use typically == less security. A server should be a machine that is HARDER to maintain because it is more configurable and secure.

Anyone who has used both Windows and Linux will probably agree with me - Linux is harder to use out of the box, but it's much more powerful, much more secure, and much more suited to an environment that will be under constant attack.

Re:Take control?

[1010011010]

the point he was making was the writing bade code shouldn't bring down the OS. don't be so damn defensive that you can't read the words in front of you.

You're right. My bad. Sorry, everyone! Sorry! Won't happen again...

Ummm... 'Kay

[handorf]

So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.

If you can get the user to run arbitrary code, they're already dead.

Not to say that windows is secure, but this seems to be picking nits to me.

Re:Ummm... 'Kay

[ptomblin]

You misunderstand. He's talking about NT/2000/XP, where you have privilege and non-privilege accounts, and where even as a non-privilege account, you can have stuff running as the Windows equivalent of "root", and you can use any window that "setuid root" application pops up to root the box yourself.

The example he gave is the anti-virus program that runs with administrator privs (because it has to do stuff to the registry), when you're logged in as Joe User without admin privs. The anti-virus program pops up a window, and bam, you've hijacked the window, given yourself admin privs, made a new administrator login for yourself, and you're away to the races.

Re:Ummm... 'Kay

[handorf]

Right... a non-priveleged user has access to a window running a more-priveleged account.

But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.

If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.

Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.

Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.

Re:Ummm... 'Kay

[MisterBlister]

Yeah but in any case, software companies could work around this without breaking the Win32 API just by seperating out the parts of the code that need special privledges from the user interface code and use a secure message passing system (not based on standard windows message passing) between the two.

Of course, the fact that apps aren't doing this goes to show that at the very least Microsoft has some education to do when it comes to developing secure 3rd party apps, but its not nearly as earth-shatteringly broken with no hope of being fixed as the paper author lets on.

Re:Ummm... 'Kay

"If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component."

You don't understand. The example antivirus program would be running, even if the user component was off. if its running, it can receive messages. if it can recive messages, it can be 'rooted' by the user.

Re:Ummm... 'Kay

[silicon_synapse]

User habits have nothing to do with this. What if its that user who wants the priviledge escalation? If you had read the paper, you'd know this exploit isn't run by simply clicking a button or two. Anyone who does this will know exactly what they're trying to do. No ammount of "encouraging good user habits" will stop this unless it involves a cat of nine tails.

Re:Ummm... 'Kay

I think you're missing the point....(either that or I missed your point).

These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account.

and

Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that's a problem. Oh, and it doesn't require console access either - I've successfully executed these attacks against a Terminal Server a hundred miles away.

Re:Ummm... 'Kay

[handorf]

It can only receive messages if there is a window associated with it. (Which may be hidden)

As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no. (Not to say they don't exist, but they shouldn't).

No OS design will keep a developer from creating an insecure app when their app runs as administrator.

Re:Ummm... 'Kay

[handorf]

If you give a guest user access to ANY program which runs as administrator (e.g. an antivirus UI) I have to say you deserve what you get.

Same with the TS "shatter"... TS isolates the window sets of each user. If the user has something in their "window space" then it can be attacked.

(BTW: Does anyone else find it funny when people insist on bringing up distances in networked problems? Of COURSE it works a hundred miles away! It's a bloody network!)

Re:Ummm... 'Kay

[handorf]

If you give the user access to a privledged UI, you trust them. (If you don't and you accidentally give them access to that UI, you shouldn't be admining or you shouldn't be using that program)

If you trust a user, they should have good habits.

Combine these two and you're back to just badly written applications are insecure, which is true everywhere.

Re:Ummm... 'Kay

[belroth]

If you give a guest user access to ANY program which runs as administrator (e.g. an antivirus UI) I have to say you deserve what you get.

This translates to "If you run windows you deserve what you get". If you run windows all users have access to priviledged programs....

Re:Ummm... 'Kay

[handorf]

Huh?

If you run windows all users have access to priviledged programs....

What do you mean by that?

Re:Ummm... 'Kay

[Wumpus]

Actually, with careful timing, you might be able to pull this attack off on an app that doesn't have ANY windows. If the application in question makes use of the WM_COPYDATA message, this might prove to be trivial. Even if it isn't, you can still map arbitrary data into an application's memory space using WM_COPYDATA.

Here's the WM_COPYDATA documentation. Read it and tremble in fear.

Re:Ummm... 'Kay

[handorf]

I'm curious what you're suggesting with the timing issue.

As far as the WM_COPYDATA... well, yes. Programmers using WM_COPYDATA should ALWAYS be damned sure they know what they're getting when they get that message. And after they've checked that it's not dangerous, they should check again. And then they should probably go find another way to implement the desired funcitonallity. WM_COPYDATA has always been a terrible hack, as I recall.

Re:Ummm... 'Kay

[Doomdark]

As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no.

Maybe so, but there's more Windows messaging system does (by allowing nifty shortcuts) than what typical suid app would. Read the article for god's sake.

Basically, it has similarities with Outlooks "execute anything on sight when user does something". Messaging system allows code to be executed without app having any way to intercept those calls. And those calls come from lower privileged level.

In this particular case it seems perfectly reasonable for the privileged app to expect that GUI components in question just do their UI stuff, instead of providing an instant code execution path. It is once again that Windows really makes thing easier... similar vulnerabilities potentially affect all/most message based GUIs / OSes, but not as easily as with Windows.

Re:Ummm... 'Kay

[Wumpus]

You missed the point, I'm afraid. Once the data has been copied into the exploited app's address space, nothing the developer does can secure it 100%. The described exploits relies on two properties of the Win32 API:

1) It lets you copy arbitrary data into another process.
2) It lets you force another process to jump to an arbitrary address by faking a WM_TIME message. It's actually the default window procedure that does this.

So, in theory, there should be a certain class of applications that would allow you to inject an exploit into their address space, using WM_COPYDATA, and then jump to that data (from another thread, possibly, introducing the delicate timing issues), and executing it. Note that this can be done before the application code gets a chance to look at the WM_COPYDATA message.

Upon closer reading of the WM_TIMER message documentation, several things come to mind that could make this attack less problematic. The OS could filter all WM_TIMER messages, and discard the ones whose LParam doesn't contain an address that was previously registered as a timer callback.

Re:Ummm... 'Kay

[davebooth]

The point remains that it isnt a question of "a user runs unknown code, they're screwed" - in this scenario the USER is the attacker.. they already have a legit account but it doesnt have administrator privs. They want to get past some restriction on their account - like maybe locate and disable any nasty corporate keyloggers that might get them fired for pr0n-mining, or plant some nasty stuff on a shared PC to grab other accounts credentials so somebody ELSE gets fired for it? Lots of attacks come from inside and lots of *nix attacks are described as "local root" compromises - thats what we have here.

To rephrase your statement its more a question of "if a user can get localsystem privs by running arbitrary code, you (as the sysadmin) are screwed."

This isnt specific to windows or any other OS for that matter. If any user can get arbitrary code to run with a higher privilege level than their own, this kind of hole exists.

Re:Ummm... 'Kay

[Brynath]

Did you even read the paper?

This isn't about specific apps, this is about how, if a window in some program is being run as localsystem (root) you can get it to run arbitrary code.

You could be Mr no priv Guest user and get it to esclate you to root because you can see a window.

Yes because you can see a window.

That is all it takes, is the ability to see a window.

That is what it is talking about. good user habits are not going to prevent this, maybe good software design from everyone in the world would prevent this, but if it were good software to begin with we wouldn't be talking here now would we?

Re:Ummm... 'Kay

[thingy]

he also said that it can take over a citrix environment. Does that mean everyone shouldn't be using the apps on the citrix environment or does that mean that we shouldn't have any more root passwords because we know our users can get root access?

Re:Ummm... 'Kay

[DaveAtFraud]

Too bad someone modded this down as flamebait. Fix the OS; don't patch the applications. Slashdot is like that though.

Re:Ummm... 'Kay

This could be a serious problem for colleges. Lots of students (eg. hackers in training or just plain curious) have access to the system. Imagine a bored CS student in an intro data structure class, breaks his highly restricitive priviliges and then starts messing with the instructors powerpoint presentation as he is showing it. Of course guilty party is the one whose keyboard is going 100 mile per hour but hey.
There are lots of situations where many untrusted users may have access to computers, academia, hospitals, goverment agencies, etc etc

Re:Ummm... 'Kay

Well take me for an example, I've been pretty tightly shut down here at work (not that I feel that I necessarily deserve it but that's another story), and don't even have the ability to make changes to the registry.

I do now.

Re:Ummm... 'Kay

The implication is that, if you run that virus laden POS called Windows you HAVE to have an AV program that runs with priveledges.

Re:Ummm... 'Kay

[t0ny]

Hey, you know what I found out? There was this guy in the next dorm, and he left his 00ber Linux box loggen in when he went down the hall to buy a 'Dew. So I sat down at this 00ber box, and *what do you know*, I compromised his computer!!!! This is a known sploit with linux. I think Torvalds needs to be made aware of this immediately.

Re:Ummm... 'Kay

[Jerry]

This isnt specific to windows or any other OS for that matter. If any user can get arbitrary code to run with a higher privilege level than their own, this kind of hole exists.

You apparently failed to read the article. It concerns weakness in Win API calls, like WM_TIMER, for example, that gives an untrusted user the ability to achive LocalSystem priviledges. An 'untrusted' user is a virus or worm. As a WinXX user you should be familiar with them. ;-) Additionally, since anit-virus programs have to run with registry access they offer the 'untrusted' user/virus access to LocalSystem and there is nothing the owner of the box running WinXX can do about it except repeat the MS Mantra: reboot, rebuild, reinstall.

Re:Ummm... 'Kay

[Bungie]

You could be Mr no priv Guest user and get it to esclate you to root because you can see a window.

You misunderstand. A non-priviledged user must have accesss to an interactive service that is running as the LocalSystem user. The reality is that you will rarely ever see one of these Windows. Not too many pieces of software do this these days, as this vulnerability is actually pretty old.

Re:Ummm... 'Kay

[dannannan]

SendMessage can only be used to post messages to windows on the same desktop as the caller. Services that have elevated privileges can be (and are by default) configured to have a separate, privileged desktop that normal user processes don't have access to. (See the "Allow service to interact with desktop" option in the Windows services UI.)

The exploit in the white paper takes advantage of a poorly written service that was configured to expose its GUI to the same desktop that normal users create windows on.

D

Re:Ummm... 'Kay

[davebooth]

OK, clarification is in order here. This particular incarnation of the problem is indeed, as you so rightly point out specific to the win32 API. I promise you I never disputed that. I made 2 separate points in my earlier post.

• This is a variant of the "local root exploit" type of problem and as such is not as minor as the MS response to notification would have us believe. I think I can be fairly confident you agree with that point :)
• Local privilege escalation exploits in general are not specific to windows or any other OS and they are a problem wherever they appear.

It was not my intention to link these two points into implying that a win32 exploit can somehow be viable on other OSs that dont use this API and I apologize for not making it sufficiently clear.

Re:Ummm... 'Kay

[ThePilgrim]

At what level does the desk top run at? (HWND id = 0)

Hear you have a known window id can you exploit it.

Re:Ummm... 'Kay

[dannannan]

The real point is that the only apps that are insecure are the ones at the same privilege level as the user, or poorly written services that the administrator never should have installed.

This is because you can copy arbitrary data into another process but only if it's got a thread on your desktop.

Which applications would those be?

• The vast majority of them will be ones running as you. So you can subvert a process running as you. Big deal.
• The unlucky among us may have installed a hack job service, granting it LocalSystem access at the time they installed it. This service explicitly configured itself to be able to interact with the interactive desktop. !!!Big news!!! Hack job service compromises system!!!

A closer look at the "Overview" section of the white paper reveals that it opens with "In this example, I will be exploiting Network Associates VirusScan v4.5.1...", so this whole article looks like the case of the unwisely configured service.

This is all very simple, and it's been this way for years: if it runs as LocalSystem, uncheck the "Allow service to interact with desktop" box. Then there's no risk. You can't copy arbitrary data into the process, and you can't send it WM_TIMER messages. If you install a service app and it turns that option on, maybe you should look for a vendor with a higher quality product. And just to be on the safe side, set NoInteractiveServices to 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Windows.

(By the way, you're right that the bit about WM_TIMER in the white paper isn't even correct. The app that receives it has the opportunity to drop the message without dispatching the callback function, contrary to the white paper, whose author didn't even bother to investigate that claim before blurting it out.)

D

Re:Ummm... 'Kay

[handorf]

OK, but that AV program (which needs rights to run) shouldn't have a privledged UI.

Re:Ummm... 'Kay

[Apache]

Quote from the article, toward the bottom:

Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.

Note that a program can have a window object that can be invisible or act in some way that only 'sort of' behaves like a window. It looks to me that any arbitrary user can gain the privs of any other arbitrary user if they can just get a handle on a window owned by that user, visible or hidden. The hard part is just getting the handle, and having a visible window just makes it easier.

Re:Ummm... 'Kay

[Wumpus]

Thanks for the information. If nothing else, this discussion shows that the problem reported in the article is more application specific than the author would have you believe it is.

This kind of exploit should be documented and understood by application programmers, of course. It's in the same class of bugs as using strcpy() on arbitrary user input. If you interview someone for a programming position, and they can't tell you why that's a bad idea, you should be worried.

Mirror, in case:

[Saint+Aardvark]

http://saintaardvarkthecarpeted.com/mirror/shatter .html

Scott Charney

[Oliver+Newland]

I went to University of Michigan with Scott Charney and he's a really cool guy. A little background info is in order here. I really hope that he improves the Microsoft security record, and I really think he's enough of a go-getter to do just that.

Re:Scott Charney

Oops--my cat jumped on the keyboard and submitted my post before I got into my favorite Scott Charney anecdote. Back in the U. Mich. days, Scott and I were discussing userspace security in the Win32 API. Scott wanted a little bit of time to think over my suggestion about modifications to msgsrv32.dll, so I excused myself. As I stood up to leave Scott said "Your barn door is open". Before I could look down to check, Scott yanked on my waistband and poured a bowl of hot grits down my pants. It was sticky and hot.

Oliver u r teh TRLOL.

Re:Scott Charney

[Oliver+Newland]

YOU MADE ME SPIT OUT MY COCKE LOL

Don't use so many caps. It's like YELLING.

Re:Scott Charney

So is this guy a lawyer / whip or can he actually make a difference?

This is not new

This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do
have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake.

Re:This is not new

This is very true. Had they been following the guidelines for proper Win32 application development this would not be an issue. In this case, they should have decoupled the GUI control interface from the service/daemon that must run as LocalSystem and used a secure interprocess communication mechanism.

It's really no different than if I bang out an exploitable daemon that has to run as root under Linux.

Re:This is not new

Except this was done on Windows so according to SlashDot it's the most serious problem ever and Bill Gates did it himself, really. They have video tape of him entering the malicious flawed code.

Re:This is not new

[Chris+Burke]

It's really no different than if I bang out an exploitable daemon that has to run as root under Linux.

Well, it is different, in that this affects every process that puts up a window. It'd be kinda like if your daemon had no exploitable code itself, but because you used pthreads which happened to have an exploit, you were screwed anyway.

Not a huge difference, but a difference.

unfixable?

How is it unfixable? Is it unfixable in the way that many current applications rely on this feature?

Re:unfixable?

[silicon_synapse]

Here's a thought. Read the article.

Re:unfixable?

[NorthDude]

It is unfixable because it would require to change an API used by... All windowed windoes applications.

Microsoft has had 7 years of warning.

[Quasar1999]

Microsoft was told about this flaw when it was first discovered 7 years ago. They still haven't fixed it.

In other news, microsoft is sueing the cnet for making a flaw public news. They claim they needed more time to fix it, 7 years just isn't enough time to fix the bug and test the patch...

Re:Microsoft has had 7 years of warning.

[donutello]

Read the article. I'll quote from the response included in the article.

It is the implementer of a program that decides what messages to handle
and how to handle them. This also means that an attacker needs to
figure out a way to use windows messages to actually get the application
to do anything useful to the attacker. Given this, I would recommend
that you contact the program's owner and let them know of your report.
There may or may not be a vulnerability for them to address, but the
program's owner should determine that.


It's a matter of design how an application reacts to messages.

Re:Microsoft has had 7 years of warning.

[kasper37]

In even other news it was shown that every unix is vulnerable to the "floppy boot" flaw and has been exploitable since 1969.

Re:Microsoft has had 7 years of warning.

[Graspee_Leemoor]

" In even other news it was shown that every unix is vulnerable to the "floppy boot" flaw and has been exploitable since 1969."

That would be difficult, since they didn't have floppies in 1969.

graspee

Re:Microsoft has had 7 years of warning.

[lacrymology.com]

>That would be difficult, since they
>didn't have floppies in 1969.

Sure they did, but they were 4' x 4' and weighed 57 pounds.

Re:Microsoft has had 7 years of warning.

[DunbarTheInept]

The point is that the *default* behavior you get if you don't *override* one of the message handlers is the one that has the exploit. It's one thing to say that it's the application's fault when it opens a hole by code *it* added. It's something else entirely to say that it's the application's fault when it failed to write extra code to override some exploitable default behaviour. Any Windows program that has any GUI has this hole *unless* it overrides the default behaviour for the messages in question.

Re:Microsoft has had 7 years of warning.

[Mathness]

I think your are confusing floppies with TSD (Table Storage Device).

Have a look here for executive models. Which can be identified by the fluid supply for the TSD handlers, wine in this case.
The models show are of a never date than 1969, observed by their significant smaller size and weight.

Re:Microsoft has had 7 years of warning.

[dabootsie]

Altering default behaviour does you no good. You can close many exploit vectors, sure... but applications can't ignore or override the WM_TIMER message. Welcome back to square one.

If you want to secure against these exploits, nothing running as another user must interact with the desktop, visible or not.
Any and all microsoft tools or services that do this must be corrected (by MS), and you must not install anything that will "runas" unless you're absolutely certain it won't ever touch the desktop with those privileges.

Re:Microsoft has had 7 years of warning.

[Old+Wolf]

The only way to fix this, at the OS level, would be to implement some sort of ACLs for windows messages. Apart from making things staggeringly slower, it would break all existing applications. Most Windows applications use timers.

Is this really a security risk?

[turbine216]

This whole exploit seems flawed in its assumptions...I mean, how can it be classified as a security risk of ANY sort if it requires that someone is sitting in front of the computer? It seems like this is something that could easily (EASILY) be avoided by - wait for it - preventing unauthorized access! Something that Windows has been doing pretty well since Windows 2000 (flame on, zealots, but it's true).

Sounds like this guy is just trying to gain cool-guy points with the slashbot crowd by showing off his 1337 windoze hacking skillz. Pass.

Re:Is this really a security risk?

[Marx_Mrvelous]

This is a huge risk. As any security administrator knows, more security breaches come from within a computer network than from without. Even if computers are locked in a computer room, what about the desktop machines? We currently use profiles to prevent people from installing unlicensed software. But with this exploit, that probably would not be very hard. This is a huge problem in Windows.

Re:Is this really a security risk?

[jasonrfink]

Terminal access and shared access to a server can be used to perform the same attack on a server from a client. If the Shatter attack is as easy as he makes it out to be, practically anyone could do it within the company fence, for those who install ms on the wire I am not sure what attacks could be performed. If a system on the wire has shares activated or terminal services running, it is only a matter of time before they can use this attack.

Re:Is this really a security risk?

[topham]

A user opens a damn attachment, which you've told them not to do a hundred times, but one of them does it anyway...

No problem right, the attachment runs as that user and the damage is restricted? Only it isn't, because the attachment escalates itself to localsystem privledge and now starts really screwing around.

With any luck it drops itself on the network somewhere and some other soul mistakenly runs it and it gets domain privledges...

Re:Is this really a security risk?

Did you read the fuckin article you troll?? He said he did it to a remote computer from far away. You just need access to the computer, not physical access, but a user account on the computer. Like he says at the end, this could be really bad for large corporations of people. Or any place that lets employees connect from home. Just a friendly reminder to read the linked article before you post. fuckin douche handle

Re:Is this really a security risk?

[sysadmn]

Read the article. This is an escalation-of-privileges attack. Very few businesses give every user 'root' on their desktop. Now Microsoft has done it for them.

Re:Is this really a security risk?

[RetroGeek]

Scenario:

- I am a user on a corporate machine. I have very basic access to the machine, ie: I cannot install s/w that requires admin access.

- I install a utility that does not require admin access.

- The utility runs, but in the background raises MY access to 'local System' (read root), using this exploit.

- Now that utility can do anything it wants.

It's the equivalent of a Linux user gaining root access simply by running an app.

Re:Is this really a security risk?

[Slynkie]

The fact that it may require an attacker to be physically in front of the computer is the -point-. As others have mentioned, it's a matter of being assigned a certain (low) level of access, and giving yourself a higher level. Sort of equivalent to a local root exploit under un*x.

Think of the "Family Computer". Mom + dad put some content blocking software on it in order to block their son/daughter from accessing some particular type of content on the web. Mom + dad also install, to use the example from the white paper, anti-virus software.

Little billy logs in as himself, uses the shatter exploit to give himself admin privledges, and disables the content blocker.

At least, that's the way I understood it...

(btw, if it was me 15 years ago, I'd probably lock out mom + dad's accounts just for kicks, but that's besides the point.)

Re:Is this really a security risk?

[turbine216]

A user's ability to crash his or her desktop machine does NOT constitute a HUGE risk, as you put it (especially when considering that it requires binary/hex editors and various other obscure tools that your typical user just doesn't have).

And any competent netadmin/sysadmin will make sure that those same users don't have the ability to run arbitrary code on a server.

I agree that this is a serious flaw in MS's design, but christ, aren't you blowing it just a BIT out of proportion? Seriously...can you think of a single situation where this would ACTUALLY create a real security risk?

Re:Is this really a security risk?

[Ardax]

It doesn't really require someone to be sitting at the console.

Socially engineer yourself a login and hijack the machine remotely via Terminal Services (or Remote Desktop Connection, which is ENABLED by default in XP). Owie.

Yes, clueful sysadmins or netadmins will make sure that port 3389 (IIRC) is firewalled, but there's lots of admins that are either not clueful or overrided by a PHB.

Don't believe me? Check with a sysadmin running a web server. Ask them how many Code Red or Nimda hits they still get per hour.

Re:Is this really a security risk?

just about every day, i see hundreds of students sitting in front of my university's Win2000 network in the student computer labs... its kinda hard to limit the authorized access...

think harder next time, the whole world doesn't revolve around your setup...;)

Re:Is this really a security risk?

The main security hole IMO is that programs can be written to simulate users for other applications. For example, I once used a program which had thousands of phone numbers stored in its encrypted databases. The program would only allow 50 or so numbers pulled at a time through a fairly tedious process (so that people couldn't simply rip the database off of the CD). By writing a program to automate this process (which is a trivial exercise to do in Windows), the entire database could be copied painlessly, thereby defeating their simple security protection.

Re:Is this really a security risk?

[Ardax]

Policies? I remember a handy little program that would reset a system's policies and prevent them from being pulled from the server at next boot.

I've probably still got it sitting on my hard drive somewhere. I don't know if this will still work XP, or even 2k. Should I ever get the opportunity again, I might check. :)

Re:Is this really a security risk?

[Abcd1234]

Bull. Local exploits are just as important to avoid as remote ones. Anyone who thinks otherwise has their head in the sand. Ignoring the proliferation of remote exploits on the Windows platform, the fact is, people want to run multiuser systems on Windows-based networks (why do you think Microsoft rolled TS into their main product line? To promote this very thing!) And the minute you start allowing multiuser access like this, local exploits become a real concern. Imagine you're running a University using TS and a bunch of thin clients, and you happen to have a cracker enrolled in your program? The point is, in this sort of environment, you CAN'T trust the user, and so you can't take the chance that a local exploit could leave you vulnerable.

Re:Is this really a security risk?

[Abcd1234]

Sure, you can't run unauthorized software on the servers. But what about fun stuff like packet sniffers and the like? Remote exploit tools? I could go on. The fact is, there's a TON of malicious code you probably don't want a regular user to be able to run from INSIDE your network.

Re:Is this really a security risk?

[ajrs]

Yes, it is. The implication is that an authorized user, without administrator access, could be the victim of a Trojan of some kind. This in turn could compromise the whole box. Even the parts that the orignal user didn't have access too.

Any system is potentialy vulnerable to local exploits (ex local ssh exploit). They are usually not this easy to implement, however.

Re:Is this really a security risk?

[irix]

I've got news for you: local priviledge escalation exploits are still exploits.

Sure, it isn't as serious as a remote exploit. However, if you take the stance that once a user logs on to your system then you are 0wned, you don't have a real multi-user O/S. What is the point of having multiple user accounts with priviledge separation if you don't fix local exploits? Would you give every user on a system you admin root (Adminstrator) privs?

The fact that Microsoft is dismissing a local priviledge escalation as "not a problem" just tells me they still don't understand how to make a real multi-user enterprise O/S.

Re:Is this really a security risk?

I didn't require physical access to the computer, it requiered a guest account on the computer. Ever heared about Terminal Server or Citrix?

Re:Is this really a security risk?

[kableh]

It isnt necessarily an exploit, as he explains in his vuln-dev post: This is not a bug. This is a new class of vulnerabilities, like a buffer overflow attack or a format string attack. As such, there is no specific vendor to inform, since it affects every software maker who writes products for the Windows platform. A co-ordinated release with every software vendor on the planet is impossible.

Re:Is this really a security risk?

Wrong.

I would simply secure the box to not allow ANY software to be installed (this is my 'normal' installation for my user base).

There is absolutely NOTHING that they need to install on a corporate machine that is not first screened and approved by corp.

Re:Is this really a security risk?

[Mr.+Sketch]

Actually the attack seems to involve getting a handle to a window running in a process with higher privledges, which is trivial in windows. There is a nice function call WindowFromPoint that given a point on the screen, it returns the window handle under that point. After I have the window handle, a simple call to GetWindowThreadProcessId will give me the thread and process id that's in that window handle. After getting the process id, it's not that much more difficult to see what the userid/security class of the application is.

My point is that there doesn't have to be any user interaction at all, and that the program can determine which windows have a higher priority and escalate their privledges via this exploit. Also, it's not all that difficult anyways to just iterate through all the toplevel windows in the system (via the EnumWindows function) and check them that way instead of using WindowFromPoint.

Re:Is this really a security risk?

uuh...how exactly would you prevent ANY software from being installed ? you cant. if my install procedure is copy files from a floppy to my home directory and execute an exe file then your fux0red. moron.

Re:Is this really a security risk?

If I understand correctly... this exploit allows a cracker sitting at someone elses computer to extends thier rights from guest to local admin, right? As a local admin I can install software, read any file, etc., etc...

I tell you one thing. When I quit this job. I'm going to sit in my bosses office for 30 minutes when he's away for a meeting and see if I can't delete every file on his computer...

Just kidding, but just because this exploit isn't easy for the kiddies doesn't mean that there aren't.

Re:Is this really a security risk?

[sealawyer]

Install in this case means copy a file to some place where it can be executed. This would include on removable media like floppies or cdroms.

Can you really prevent people from running any executable other than the ones you intall? I suspect that you cannot.

Re:Is this really a security risk?

[dzym]

For that specific instance, you disable floppy access to the computer.

Remove floppy drive, disable floppy drive in BIOS and then password it, or simply configure the ACL to not allow floppy or CD access for anyone who is not an administrator.

Re:Is this really a security risk?

[bwt]

In MANY networked windows environments, the network admins do not allow end users to have administrator right on the machines on their desk. The network admins, typically MCSE's, perform a variety of admin tasks using automated tasks (either login or chron based) at an elevated permission.

Re:Is this really a security risk?

[Kraegar]

Or it drops itself in the all user's startup folder, to run silently... Then each time someone logs on it tries to copy itself out to their Domain Controller. Won't work for normal users, but next time someone with Domain Admin priveledges logs in... bam. Now they have your network.

Scripts to drop in a Domain Admin's startup folder and own a Domain are already preset in the wild. The tough part is putting them there, because you already have to own the box... using this, it's not bad.

Put those two together, along with the tunneling trick we saw in an earlier article, and suddenly you're tunneled in to a corporation's domain controller as a Domain Admin... and from there the sky is the limit.

Re:Is this really a security risk?

If you allow people to save Word Documents then they can be scripts/software.

Re:Is this really a security risk?

[topham]

What I liked was the response from microsoft. This program violated one of their 'laws' (of secure computing I guess) and therefor it doesn't count.

According to that philosphy no security holes count...

Re:Is this really a security risk?

which means there is at least one computer, somewhere, that might be kinda sorta resistant to this attack. yay!

Re:Is this really a security risk?

[seanyboy]

There's always copy files over the net, over ftp, from email. From a command prompt, you can use paste (copy con go.exe) over a terminal services client. There's a basic telnet session, there's the ability to share files. You could use Word to import a "Gif" file. And I know nothing very much about this stuff. I'm thinking that if somebody really wants to get a file onto a machine, they can. The question is (And I'm pretty sure you can do this unix) is whether you can stop people executing files which are downloaded into a user space.

Re:Is this really a security risk?

[Bill+Currie]

copy con foo.exe
MZ[lots of alt-numberpad typing, hope you don't need 26]
^z
foo.exe
Windows doesn't even need chmod +x

Re:Is this really a security risk?

[innocent_white_lamb]

I can get the program into my home directory by emailing it to myself. Save attachment and run it from there.

There are lots of ways to get information from there-to-here.

Re:Is this really a security risk?

[hyperturbopete]

hmm, mod parent up.

once again, tho, i want to point out that escalation-of-priviledges doesnt seem quite as bad as automatically execute any code that is emailed to you, a-la Outlook.

Re:Is this really a security risk?

I'm not going to pretend to be familiar with the full scope of this vulnerability, but it seems to me that if an exploit exists to "take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between" that the same exploit can be coupled with other vulnerabilities to raise a remote intruders access.

Hmm that gives me an idea...

[jsonmez]

That means I essentially could write a version of paint that when you open it closes all other windows you have open on your system and flashes up a window that says "PAY YOUR ALLEGANCE TO PAINT ALONE!"

Re:Hmm that gives me an idea...

[GS11_Pus]

Well I laughed at least.

Re:Hmm that gives me an idea...

Heh heh heh.

Fixability

[Wrexen]

What's to prevent an administrator from installing a Message Hook that eats all EN_* or WM_TIMER messages sent between processes? Since your DLL would be living in each process space, you could detect inter-process message sending and block the attack from ever leaving the Shatter process. I don't see any reason why this shouldn't work

Re:Fixability

[erasmus_]

Finally, a constructive response to the problem. However, since you still don't have the capability of seeing what the source of the message is, I don't see how you can drop all of those messages with 100% certainty. Those API calls are there and are used legitimately as well, for better or for worse. So although your way coulf fix things, I wouldn't be surprised to see it breaking some applications along with it.

Re:Fixability

[hyperstation]

cut and paste wouldn't be very useful then, would it? i don't know much about win32 api, just assuming here...

Re:Fixability

[Wrexen]

The basic idea would be to install a WM_GETMESSAGE hook. Contrary to what the writer believes, all messages must go through the queue. No two ways about it. At the hook level, we just examine the message and look for suspicious activity. Simplistically, all that really needs to happen is to look for EM_SETLIMIT and cap the WPARAM at some small value. It might also be good to remove callback addresses from WM_TIMER, or add verification (is the destination address part of the loaded executable space?). Most applications won't use the callback feature of WM_TIMER anyway.

Re:Fixability

[HopeOS]

A cursory look through the hook API does not suggest that one can block messages based on the calling process. There appears to be a way to determine if the current thread made the call, but that is largely useless. Threads post inter-thread messages all the time. The real question is whether that thread belongs to the same processes as the receiving window.

The callback function has the following prototype:

LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam);

nCode specifies handling semantics.
wParam specifies whether the message was sent by the current thread.
lParam is a pointer to a CWPSTRUCT structure.

The CWPSTRUCT contains the following:

typedef struct
{
LPARAM lParam;
WPARAM wParam;
UINT message;
HWND hwnd;
} CWPSTRUCT, *PCWPSTRUCT;

There is nothing of use here that would permit a filter to determine the origin of a message. At most it could kill all inter-thread messaging, seriously breaking multi-threaded applications.

-Hope

Re:Fixability

What would prevent that is that if he did then a sizeable amount of applications would fail.

Re:Fixability

[_bug_]

What kind of overhead would there be with such a system patch? Adding extra processing to every GETMESSAGE event would suck down a noticable amount of cpu usage, wouldn't it?

I would guess there would be a greater impact on user desktops rather than servers since there is (usually) less interaction with the server's GUI rather than a desktop's GUI.

Re:Fixability

What's to prevent me from booting that machine from a floppy and accessing the hard drive. When I worked at MS, we had an NTFS driver for DOS (can't remember the name of it). But such a thing does exist, and it is *not* read-only like the Linux NTFS mount.

Anytime you have full physical access to the machine, you can pretty much take over with minimal effort. Microsoft makes this point, and for once I agree with them.

Re:Fixability

Another problem with this is that windows hooks only see messages Post'ed to the window, not messages sent using SendMessage, so write the exploit using SendMessage.

Another way to see messages is to subclass all windows using SetWindowLongPtr to replace the WndProc, but you would have to do that to every window. I think it is impractical. It also relies on all WndProc functions being written according to the guidlines from MS, which not even MS programmers do.

Re:Fixability

[Glorat]

Contrary to what the writer believes, all messages must go through the queue.

Correct me if I'm wrong but I'm pretty sure that PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination. Of course, an application could handle every message but in practice 99% of applications will leave the default windows handling of most messages. (Handling all manually is not feasible).

cap the WPARAM at some small value
I think you misunderstand that. WPARAM is a fixed size double word (4 bytes). The problems is that it is often used as a pointer to a memory location. Obviously, you can't cap the target of a pointer since no information is possed in the length

Most applications won't use the callback feature of WM_TIMER anyway
AFAIK, if you don't handle the callback feature (99% of apps), you get the default handling which is to execute the code as the article describes

Re:Fixability

[Wrexen]

You shouldn't be running terminal servers on your DB machine or webserver anyway, or be allowing random strangers with floppy disks to approach the machines. The total overhead would be probably about as much as your average virus scanner, and worse for UI intensive apps.

I think the real point is that virus scanners worth their salt will detect this anyway -- how often does a user need to paste hex data into a textbox? Blocking any paste operation with characters resembling machine code would be yet another reasonable work-around. "Not fixable" is FUD, this time directed at MS

Re:Fixability

[Wrexen]

Correct me if I'm wrong but I'm pretty sure that PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination
No. Both place messages in the queue, the difference is that PostMessage does not give you the return value of the message (and hence does not block).

I think you misunderstand that. WPARAM is a fixed size double word (4 bytes)
Exactly, but for the message EN_SETLIMIT, this is not a pointer.

AFAIK, if you don't handle the callback feature (99% of apps), you get the default handling which is to execute the code as the article describes
Which is why we would block timer messages with a callback parameter

Re:Fixability

[psypete]

well, i *think* we could still fix at least part of this problem without breaking apps, but microsoft would have to implement it.

the main problem i see is the timer. any window can send one to any other window arbitrarily, and that should be limited. firstly, code could be added to windows to simply not send timer messages across different users/desktops/groups/etc (ala windows xp) unless it was the administrator account doing the sending.

another means to this would be that across different users/desktops/groups/etc, the second parameter (address of timer callback function) could not be set; i suppose this would mean that the timer could not be interacted with using a secondary function (breaking any kind of error checking or whatever it's purpose actually is) but it wouldn't allow the jumping to different points in memory and would still allow the somewhat limited use of WM_TIMER across different users/groups/whatever. this would probably have very bad effects for today's standard windows programs.

yet another unrealistic yet appropriate long-term idea would be for windows to loosely keep track of what memory a window/process/thread had access to. windows doesn't have to *manage* it per-se, but if it kept up with where in memory a program was allowed to go it could limit messages by the basic range and scope of its access.

by the way, does anyone have any resources where i could learn more about this kind of in-depth windows coding? i've been focused on linux for a while now and learning more about this could be very insightful.

Re:Fixability

[b0bd0bbs]

AFAIK you can still allocate ring 3 descriptors via windows DPMI calls, change them to ring 0 descriptors via an LDT mapping (which is legal in pmode the way windows sets things up), then execute any code in your program as ring 0. Woohoo. That *feature* has been around for at least 6 years.

Re:Fixability

[Uller-RM]

Not even really that - Hooks aren't allowed to modify messages, only watch them.

The only way I can see to defend against this is to carefully initialize all windows in the system before starting the message pump, using careful calls to GetMessage() with range filtering and checking the wndproc pointer at every step to make sure nobody's subclassed it from under your nose. Then, subclass all child windows to ignore EM_SETSIZE, WM_SETWINDOWTEXT, any non-essential messages. It's hardly a trivial task, though, and it'd have to be done per-app, in which case re-writing the code to not call DefWindowProc on WM_TIMER or any other callback message would be cheaper.

That, and the whole thing becomes moot if I create two passthrough DLLs, user32 and kernel32, the former patched with a handy dandy backdoor, the latter with a patched LoadLibrary() call to prevent apps from loading the unpatched versions directly out of the system directory.

Re:Fixability

[Wrexen]

Check again, WH_GETMESSAGE filters are explicitly allowed to modify messages

Quoth MSDN:
The GetMsgProc hook procedure can examine or modify the message. After the hook procedure returns control to the system, the GetMessage or PeekMessage function returns the message, along with any modifications, to the application that originally called it.

This includes modifying the message parameter itself (set to WM_NULL, WM_GETCHICKEN, etc.)

Re:Fixability

[glenebob]

PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination.

PostMessage() always puts the message in the queue. SendMessage() tries to bypass the queue, but that only works when sending to the same thread. If you SendMessage() to a different thread (or process obviously), the message goes in the queue and the function doesn't return until the target thread handles it, so SendMessage() could be called PostMessageWait() or something, but it's historical (in Win16 it really did always make a direct call).

The writer's statement is somewhat incorrect about this. The WM_TIMER message does go through the queue, but windows apps don't generally examine messages at the queue-read level. They just use an API call (GetMessage()) to pop the next message (and ignore its contents), and another API call (DispatchMessage()) to dispatch it to the proper handler function, where all the real work gets done. In the case of WM_TIMER, DispatchMessage() is what decides what function to call (based on the second message parameter). An app could technically block it by making sure the second parameter is a valid timer handler function.

Re:Fixability

[Uller-RM]

Yes - but plenty of apps out there use WM_TIMER. You can't just discard the whole message, and since message hooks don't give you a handle for the sending thread, there's no way to tell whether the timer is a legitimate call from the app or a backdoor.

You're technically correct, but that still doesn't solve the problem at hand.

Re:Fixability

It can be done from the API level. The DLL knows what PID called into it, and knows what window the message is destined to. It's very easy (single call) to determine who owns the window, and if it's not the same PID, eat it. WM_ is not a legitamite method of IPC.

Re:Fixability

[Glorat]

Thanks, that all makes perfect sense now =)

Re:Fixability

My interpretation was that it wasn't being handled at the virus checker level, but by the interface running with the virus checker's security level.

The checker itself wouldn't do anything with the binary data, until something actually tries to use the contents of that text field. In the meantime, the data is stored in the memory belonging to that checker - any validation at this point is at the Windows toolkit level.

The second part is the message that actually runs the code concerned - according to the document, that message is not handled by the checker's event loop, but by Windows itself.

Thus, the only fault with the checker is that it runs a window while operating as a priviledged user. This might not be ideal, but as the article indicates, the real problem is the weakness of the Win32 API.

Re:Fixability

The ultimate security measure; a firewall for every process!

Re:Fixability

[Mike_L]

Dropping all WM_TIMER messages means that your cursor will no longer blink. Tooltips won't work anymore. Also other things like IE downloads and status bar updates probably will stop working.

The original poster is incorrect about WM_TIMER messages being automatic. Every Win32 application chooses what to do with EVERY message. Most call the DefWinProc() which then calls the timer function - but this is not a requirement for a Win32 application.

Filtering Win32 messages is pointless because every application has its own proprietary messages that are exploitable. Code snippets like this are common:

#define SPECIALSUPERMESSAGE (WM_USER + 2)

The only solution to this is for Microsoft to make a future version of Windows with a more rigid security model. One solution would be to require that the owner of the desktop be the owner of all attached processes. Of course this would require privelaged services to exist in a separate process from their configuration programs. Such separation makes good sense for reliability purposes - but the shoddy programmers of Symantec and other corps won't like it one bit.

MS could fix it... but only in future versions of Windows. They probably won't though.

-Mike_L

Re:Fixability

[moogla]

Moot in NT based systems, AFAIK

Re:Fixability

Despite being modded as funny, presumably for the excessive technobabble, this makes perfect sense, and most likely would work with Win9x systems.

Of course, considering you can easily crash a Win9x system from a virtual 86 box, that's not too surprising.

Re:Fixability

[Old+Wolf]

Oh yes they would; timers can only run callback functions (they can't simply set event flags or anything). Timers are used all over the place; any event that has to happen which isn't in response to some other event (this includes any animation, flashing items, etc.)

NB - It would be possible to implement animation by a thread with Sleeps, but you have to be pretty gay to make a whole thread just for that

I can do it in linux if I got root.

[t0qer]

Or if the process belongs to me.

kill processname

Re:I can do it in linux if I got root.

Where are moderator points and the [Score -1: Idiot] option when I need them?

Could you be more clueless?

SD3, eh? Sounds suspicious.

[mbourgon]

[Scott Charney, Microsoft]
We're doing this thing called "Trustworthy Computing." It's an evolving concept. We've come up with our new paradigm, SD3[...]

A-ha! It's just a small leap to go from SD-3 to SD-6. Insert joke about covert evil organizations here.

Yes, it's funny. Laugh.

Read the BugTraq replies first

[pbemfun]

Before jumping to conclusions, read the reply to the "vulnerabilities" on the BugTraq mailing list here. Doesn't look like its something unknown to the public and its really more of a vendor problem, not MS one.

Re:Read the BugTraq replies first

[silicon_synapse]

Yes the vendor is at fault, but so is MS for not including a mechanism to manage messages or at least identify where it came from. Why in the world is there no way to identify the source of a message? Security is a multilayered beast. The apps shouldn't display windows running as system, but Windows shouldn't allow just any program to send anonymous messages to any window it likes.

Re:Read the BugTraq replies first

[Ooblek]

I agree this is more of a vendor specific problem. The messages he is talking about handling can be overridden or ignored. Many developers use a wizard-generated framework to start their projects, which is probably where the example program fits into his exploit. Also, his assertion that it is unfixable is a bit premature given that the author has likely not seen the source code. Looks like someone trying to get their name out there as some sort of "security expert".

Maybe he doesn't know this, but DDE (Dynamic Data Exchange) uses this same method for inter-process communication. Its not used much anymore since it is rather slow, but some apps still do it for backwards compatibility. As with any communication mechanism, you have to check for buffer-overrun exploits as well as a multitude of other exploit areas.

Re:Read the BugTraq replies first

[mce]

The X window system also allows any program to send synthetic events to any window (or listen in on any window, for that matter). And while the server will mark the unreal events as synthetic, there is no way for the target application to know the exact source, so if it has a reason to accept some synthetics (e.g. from a companion program, or even from itself), it has to accept them all.

Here too, how bad a security problem this is depends on what the applications do with the events. Xterm, for instance, ignores all synthetic events by default, but it can be configured to process them.

Re:Read the BugTraq replies first

[dumky]

I really don't understand why so many people on this forum say the problem lies in the virusscan app or other vendor application. Same for the John Howie in the securityfocus discussion mentioned above.

Sure these apps probably shouldn't run as a localsystem user, but that is not the point of the exploit.

The point of the exploit is *elevation of privilege*. That is: not necessarily to gain localsystem access.

If you have two apps that run with two differents privileges in the same desktop they can steal their privileges from each other. That's bad in itself, and there is nothing wrong with apps needing various levels of privilege.

The problem is not in the vendor apps, although they can worsen the problem by having desktop apps running with un-necessary privileges.

See you,
Dumky

Re:Read the BugTraq replies first

[djcatnip]

its really more of a vendor problem, not MS one.

holy shite, i just found documentation for a hook called "hijaakUserMachine()" ... hmmmm...

Re:Read the BugTraq replies first

[WzDD]

It really is a vendor problem. In his paper, he has not 0wned Windows through any Microsoft service. He exploited a false assumption on the part of the VirusScan programmers to create a buffer overflow. It's a terribly beat-up story. I'm not exactly a Windows programming guru, but I have already used the capability to send fake messages to other programs in my own code. If VirusScan doesn't check the lengths of its inputs, that's a bug in VirusScan, because it's common knowledge that GUI element restrictions can be changed.

Re:Read the BugTraq replies first

[hyperturbopete]

Maybe he doesn't know this, but DDE (Dynamic Data Exchange) uses this same method for inter-process communication. Its not used much anymore since it is rather slow, but some apps still do it for backwards compatibility. As with any communication mechanism, you have to check for buffer-overrun exploits as well as a multitude of other exploit areas.

actually, there are a lot of legacy business apps out there, most have DDE features because it was a really cool thing to implement. Eliminating DDE would really piss people off.

Eliminating all buffer overflows from messages passed between windows would be a massive undertaking (that would have to be done by each application's developer/vendor!)

the author of the article is right by pointing out that this is a problem that will not soon go away... though he probably made it worse by drawing attention to it :-)

Re:Read the BugTraq replies first

though he probably made it worse by drawing attention to it :-)

On Slashdot? Considering that it appears that most readers of Slashdot are ignorant Linux zealots, I doubt the author of the paper did much damage. For all their anti-Microsoft, pro-Linux zeal, I'm betting most people wouldn't know the first thing about doing the stuff discussed in the paper. Commercial apps have always been open to someone who wants to watch what is happening in their message queues, but no one does it because it is not a trivial thing to do.

Devil's Advocate...

[d_force]

It seems this exploit allows local users to escalate their privelages through processes running as LocalSystem. So, I could either do this or open up the system, take out the hard drive, re-write the OS, and put the drive back in the system. Yes, these problems do exist when you're forced to trust local users.

Simple fix: require each user to wear a straightjacket with their legs and arms bound to the chair; have them type via the mouth-to-pencil-to-keyboard method.

Re:Devil's Advocate...

But with Windows's Remote Desktop, anyone can be a local user.

Re:Devil's Advocate...

[Algorithm+wrangler]

But as long as M$ allows E-Mail clients and even Media Players to execute random code at will, the "local user" is a matter of definition.

Re:Devil's Advocate...

[mark_lybarger]

there's a reason you don't allow normal users to have administrator (root) access. among the many others, you just don't want them to fsck up the system beyond unbelief.

on a side note, why do you need to remove the drive to write an os to it???

Re:Devil's Advocate...

[shannara256]

> Yes, these problems do exist when you're forced to trust local users.

Did you read the article? It's not only local users, it's all users. If you can get to the GUI, see a window that was RUNAS LocalSystem, and run a program, boom, you're more super than the superuser himself (the administrator). This applies to Terminal Services, Citrix, Remote Desktop, all of it. NOT just those who are actually at the computer.

> Simple fix: require each user to wear a straightjacket...
Yeah, because that makes sense in an environment where the users need to be able to use the workstations...

But, as others have pointed out (Otis_INF and cperciva, that I've seen so far), you shouldn't be able to see windows that were RUNAS LocalSystem... that's the fault of the application developers (Network Associates in this case), and not so much Microsoft's fault.

-Jason-

Re:Devil's Advocate...

[mkldev]

Yeah, but if you're really paranoid about people taking out the hard drive and messing with the system, you're probably paranoid enough to lock the machine in a box so that they can't. :-)

Re:Devil's Advocate...

[sydneyfong]

Haven't you heard of physical locks which can give you a hard time breaking open the box and taking out the harddrive?

Don't Do That

[cperciva]

This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

You're not supposed to do that.

If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

Re:Don't Do That

What's really funny is that this is the best comment I've seen, and someone modded it "overrated".

Re:Don't Do That

[Rick+the+Red]

Exactly! You could write a similarly flawed Linux application that someone could exploit to gain root access.

Some Windows apps are not secure. News at /.

Re:Don't Do That

[rjh]

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

No to the former; yes to the latter. The reason why this is a critical flaw in the Win32 API is because it means that in order for code to be secure it is essential that every existing piece of software be carefully checked to make sure it separates interface from back-end.

If you're talking about a large enterprise installation with lots of closed-source apps and a vendor turnaround time on security issues which runs into the months--and there are a lot of them out there, make no bones about it--then your boxes are at critical risk. In that case, you're essentially guaranteed to have at least one app an attacker can root the box through. Sure, it may be the app's fault for not separating interface and back-end sanely, like most of us who give a damn about good engineering learned (sometimes the hard way)... but it's also the Win32 API's fault for not requiring separation of interface and back-end [*], it's the Win32 API's fault for being so shoddily designed that an attack like this becomes possible in the first place.

A good analog in the UNIX world is sprintf(), which has been responsible for more stack-smash attacks than probably any other thing. Even though we have snprintf(), most people don't know snprintf() exists or why it should be used. Like the Win32 window exploit, our sprintf() vulnerabilities will continue for as long as people write stupid code. Like the Win32 window exploit, we can't fix the problem by removing sprintf() [**]. All we can do is provide snprintf() and hope and pray that people use it.

sprintf() is a flaw in the UNIX/C API which has led and continues to lead to attacks against the system, facilitated by stupidly-designed software which uses the call even when snprintf() is available. sprintf() can't be removed without breaking literally thousands of stupidly-written apps which depend upon it.

This Win32 attack is a flaw in the Win32 API which has led and continues to lead to attacks against the system, facilitated by stupidly-designed software which doesn't separate interface and back-end. This Win32 attack can't be removed without breaking literally thousands of programs.

Hey, guess what, world? We've found Win32's version of sprintf(). Oh, happy day.

My condolences go out to any security engineers working in Win2K land. You guys have got your work cut out for you minimizing this exploit.

[*] Not that I have any idea how they could do this.
[**] sprintf() is defined in C89. Good luck getting rid of it.

Re:Don't Do That

[geekoid]

"you're not supposed to do that" is a poor security model.
its a fact that someone, many someones actually, will write poor code. It is a flaw in the OS that lets this happen.

Re:Don't Do That

> This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space. You're not supposed to do that.

You mean, like antivirus software?

Almost all programs on Windows have an integrated MVC design - I can't think of one that uses your (better) separated M/VC design. This is a flaw in more than "some" applications.

Re:Don't Do That

[Wakkow]

I'm not a 1337 coder and don't pretend to be one so please excuse my ignorance.. What exactly is the exploit with sprintf? I've never used it but now you've sparked my curiosity.

Anyone have any links or posts describing the issue would be appreciated.

Re:Don't Do That

[kawika]

its a fact that someone, many someones actually, will write poor code. It is a flaw in the OS that lets this happen.

The OS can protect against dumb coding by someone who writes apps with elevated privilege? You underestimate the cleverness of those dumb coders.

Re:Don't Do That

[Heffe+Llama]

Even if they are not supposed to do that, I suspect that this could even happen with the CTRL-ALT-DEL handler that Microsoft put in, write a program that sends CTRL-ALT-DEL, then wait a few seconds, get some window handles and then have fun.

Re:Don't Do That

[handorf]

How dare you have a reasonable opinion on slashdot! My army of trained flamemeisters has been dispatched to beat you about the head and neck with copies of "The Road Ahead"

Windows is insecure. Linux is insecure. PROGRAMS are insecure.

Re:Don't Do That

[ipjohnson]

sprintf(buffer1,"%s text string",buffer2);

If buffer2 is bigger than buffer1 you overflow the stack (part of buffer2 goes on to the processing stack). snprintf allows you to speccify the largest size that can be copied into buffer1. The problem is snprintf is not supplied by all or even most vendors (linux seems to be the exception).

Re:Don't Do That

[cpeterso]

sprintf() is defined in C89. Good luck getting rid of it.

Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

If glibc does not want to break source compatibility so drastically, they could move the dangerous functions to a new header such as "bufferoverflow.h". Or require the user program to #define GNU_BUFFER_OVERFLOWS_PLEASE before including stdio.h.

Sure this makes porting to GNU slightly more difficult, but I think GNU can pull this off because they have enough clout with developers and no profit motive to worry about!

Re:Don't Do That

[donutello]

In fact the response from the MS guy in his article read:

It is the implementer of a program that decides what messages to handle
and how to handle them. This also means that an attacker needs to
figure out a way to use windows messages to actually get the application
to do anything useful to the attacker. Given this, I would recommend
that you contact the program's owner and let them know of your report.
There may or may not be a vulnerability for them to address, but the
program's owner should determine that.

But somehow, the author managed to read the paragraph before and after that while ignoring this. The bottomline is that it is up to the app author to react to messages and whether or not they do is a matter of design.

Re:Don't Do That

[kawika]

This Win32 attack can't be removed without breaking literally thousands of programs.

Please provide your list of thousands of Win32 apps that run as a privileged service and interact with the desktop. My guess is that the number is more like 10 than 1000.

I agree that Microsoft should emphasize the security risk of services that interact with the desktop. A good place to do that would be on the page that documents the use of interactive services. There's a short discussion near the bottom, but it focuses on getting privileges, not restricting them.

As far as docs go, Linux isn't setting a shining example. Here's the understated comment about sprintf tacked on at the end of the Linux man page:
Because sprintf and vsprintf assume an infinitely long string, callers must be careful not to overflow the actual space; this is often impossible to assure.

Re:Don't Do That

[zurab]

Couldn't agree more. As much as I don't like MS, they are _mostly_ right in this case. VirusScan (or any other service) needs to be installed with more privileges than a regular user (e.g. Guest) would have for one reason or another. It is also needed that Guest user be allowed to use the service.

Is there a better case for a client/server solution?

Microsoft has laid the ground rule and said the desktop is the security boundary. While you may not agree with it, this system is not inherently insecure. I found this paragraph from MS' response very clear and telling:

I've been talking with the technical folks about this and they are saying that we have, for a long time now, recommended against interactive services. We also advise that all windows are peers on the desktop, regardless of privilege level of the processes that own the windows--the desktop is the security boundary for windows messages.

VirusScan needs to be designed in such a way that will take Windows security model in the consideration. Again, you may not agree with the security model, but it is there in this case, and software providers need to be aware of it.

Re:Don't Do That

[mojumbo]

--- From the Paper ---
The simple fact is that Microsoft KNOW that they cannot fix these flaws. The mechanism used is the Win32 API, which has been fairly static since Windows NT 3.5 was released in July 1993. Microsoft cannot change it. The only way they could stop these attacks is to prevent applications from running on the desktop with privileges higher than those of the user logged on. Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted. This is true, but only for Windows, and because of these flaws. Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.
------ (emphasis mine)

When ms quits writing desktop apps that are vulnerable, I guess everyone else will follow suit?

Re:Don't Do That

[_Sprocket_]

If I understand the issue... sprintf() has no sanity checking. So anything that uses it becomes a potential buffer overflow vulnerability. In fact, this article on buffer overflows and countermeasures mentions sprintf() and a few others (such as strcpy, strcat, gets) which are common sources of this kind of problem.

Re:Don't Do That

> Please provide your list of thousands of Win32
> apps that run as a privileged service and
> interact with the desktop.

No, fixing the attack would mean preventing programs from looking at windows of other users. This would most likely break a lot of software.

> My guess is that the number is more like 10
> than 1000.

Let's hope so.

Re:Don't Do That

[_Sprocket_]

You must LOVE the old joke:

patient: Doctor, it hurts when I do this.
doctor: Well then, don't do that!

Re:Don't Do That

[patbob]

Actually, you are supposed to do that, else Microsoft would not have opened that capability up in the first place.

Re:Don't Do That

// You're not supposed to do that.
//
// If you want to have a service which is
// user-configurable, create two separate programs

I wonder how many Windows services do what you are suggesting. Very few, I guess.

So, if you have a Windows machine running a few services, you are most likely to be vulnerable to privilege escalation. So, Windows privileges are useless.

(Unless, of course, most programmers didn't use the message passing because they knew it was so insecure...)

Re:Don't Do That

[Wakkow]

Makes sense.. I knew of the issues with strcpy and strcat beforehand from my intro C classes. It's great that they told us to use strcpy (and ignore warnings, etc) when everything else I've read says not to.

Re:Don't Do That

[ocie]

From the article:

Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it.

Re:Don't Do That

[_Sprocket_]

Wow! You're getting some great experience. You've learned how to do something, how experienced coders know how to do it better, and how much of the world views security issues as so much distraction that gets in the way of the real task at hand. ;)

Re:Don't Do That

[bwt]

sprintf() can't be removed without breaking literally thousands of stupidly-written apps which depend upon it.

Isn't this precisely the set of programs that need to be broken, so they don't allow root?

Re:Don't Do That

[ndecker]

Why can't glibc help make the world a better place by dropping dangerous functions

GCC could give some nice warnings when using these functions. This would not break things, but makes the point clear.

Re:Don't Do That

[ChrisPaget]

Actually, probably not - I researched this when writing Shatter. When you hit CTRL+ALT+DEL you actually switch desktops from the "Default" desktop to the "Winlogon" desktop. A program on one cannot interact with a program on another. There are functions to "open" a desktop and interact with it - however the Winlogon desktop is tightly restricted, and any attempts to open it are met with an Access Denied error.

Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.

Re:Don't Do That

[pclminion]

Why can't glibc help make the world a better place by dropping dangerous functions, such as gets()

Because that's ANSI/POSIX standard.

sprintf()

Because that's ANSI/ISO/C99 standard.

strcpy()

Because that's POSIX/ISO standard.

strcat()

Because that's POSIX/ISO standard.

Are you done ripping on GNU now?

Re:Don't Do That

[Shimmer]

Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.

Examples, please. Having a GUI that runs with elevated privileges like this is a very bad idea. I'm surprised that there's even one such commercial product, let alone many. I credit you with uncovering this shoddy application, but I still cling to the hope that it's unusual. Am I wrong?

-- Brian

Re:Don't Do That

There are, of course, many cases where sprintf, strcpy, etc... are perfectly safe. As long as you know that the size of the buffer allocated to receive the data is larger than (or the same size as) the buffer you're copying from.

So if you do some trivial sprintf like

char buf[64];
unsigned long val = 0xFFFFFF00;
sprintf( buf, "%lu", val );

you'll be fine. It's when you start doing silly stuff like taking user input and throwing it on a buffer, or using vsprintf in a var_args situation that you can run into problems.

The functions that don't check size will always be a bit faster than their brothers that do, and in the case of strcpy() over strncpy(), it can save you from missing a NULL terminator.

I can see why somebody teaching an _introductory_ C class would leave this kind of stuff out though, explaining to people w/ no C experience how using unchecked copies can lead to overflow's and thereby security issues could be more of a hassle than it's worth. If they're still teaching you not to check return values and string sizes in a more advanced course, leave :)

Re:Don't Do That

Privledge escalation isn't a vulnrability?

Re:Don't Do That

[Builder]

Stupid question - how the hell are you supposed to do anything if you can't talk to the user ?

You're an AV application. You are running as system because you have to work with the registry and do other things. You see an incoming virus. You're not allowed to create windows, so how do you alert the user to the virus?

Only way I can see is to fork a child process with lower privileges. The downside to this though is that you lose all the advantages of threading...

Re:Don't Do That

[jdh28]

I believe that gcc already warns about gets.

john

Re:Don't Do That

[DunbarTheInept]

The following code has zero chance of having a buffer overflow, yet you want to have me replace it with an ugly mess of seperate calls because sprintf can be abused by ignorant coders:

char strVal[120];
int val1;
.../*then, further down somewhere*/...
sprintf( strVal, "val is: %d (decimal), %x (hex), %o (octal)", val1, val1, val1 );
There's no way for that to overflow the allotted 120 chars. No way at all. Yet you would take that away. Why?

If it is your goal to prevent all possible programmer mistakes then just delete the compiler from the system. It's a quicker means to the same ends.

Re:Don't Do That

[poot_rootbeer]

Who is this GNU you speak of? Where are there offices located?

Re:Don't Do That

[greed]

What size is an int? In my life I've been on machines where it's 8, 16, 32 and 64 bits. What will it be in the future?

Re:Don't Do That

[bnenning]

There's no way for that to overflow the allotted 120 chars. No way at all.

Sure about that? What if it runs on a system where an int is 128 bits? If your answer is "that will never happen", consider that that same logic led to billions of dollars spent fixing Y2K bugs.

yet you want to have me replace it with an ugly mess of seperate calls

snprintf(strVal, 120, "val is: %d (decimal), %x (hex), %o (octal)", val1, val1, val1 );

Re:Don't Do That

He can't reply to you as he doesn't know what he's talking about.

Honestly.

Re:Don't Do That

[kabloie]

"If glibc does not want to break source compatibility so drastically, they could move the dangerous functions to a new header such as "bufferoverflow.h"."

Excellent idea! Should push the shame a little harder.

codewillexplode.h
willget0wn3d.h
dontincludeth eseheaders.h

"Esskuze me Mr. Coder, I see that you provided us this nice new code, but why does it include bigbrownorifice.h?"

Re:Don't Do That

[jormurgandr]

use a pipe. Oh wait, thats only available in linux...

Re:Don't Do That

Well, GNU is an (incomplete) operating system, but it's owned by the Free Software Foundation, whose address is:

Free Software Foundation
59 Temple Place - Suite 330
Boston, MA 02111-1307, USA

Any other questions?

Re:Don't Do That

[cperciva]

use a pipe. Oh wait, thats only available in linux...

Err, pipes have been in Windows since NT 3.1, in August '93.

Re:Don't Do That

this is SLASHDOT - and you don't know what GNU IS?? what about linux? do you know what that is? why do you think it's called GNU/Linux? Do you know what open source is? did you know it's an offshoot of the definition of free software, coined by Richard M. Stallman who runs the Free Software Foundation and the GNU project? where do you think GCC came from?

my goodness.

Re:Don't Do That

[jelle]

As is indicated at the end of the article, a Linux application running with system priveleges can create windows anywhere with no implications for security. Creating X11 windows does not give any other process any execution rights, but with Win32 and this shatter program it does.

Re:Don't Do That

[shird]

Along with what Chris said, its also not possible to send 'CTRL-ALT-DEL', something to do with it being a hardware interrupt or something, and can't be forged. Actually, it can't be trapped, but it probably can't be forged either. But I guess you could always poll for the window and wait for the user to hit the sequence. But apparently this isn't possible anyway :).

Re:Don't Do That

[cant_get_a_good_nick]

Do a google lookup on "sprintf exploit" and you'll get a host of vulnerabilities. It's basically a stack smash.

Local variables are on the stack. Say you have some command, and it takes some input from a user, say a command line arg, environment variable, or from a file. In C, all local variables are on the stack. Say you want to sprintf that arg to a buffer on the stack, but assumes a size and never checks it. Then that data will overwrite the return value on the stack. When that function returns, it will not go to the old return address, but some other address that was in the buffer that sprintf wrote too. If you do this right, that return address will go to exploit code.

It's no more exploitable on UNIX than anything else, it's just what can you do with it? If the app taking the input is running as root then you can get root privileges.

Re:Don't Do That

[mkldev]

int barfunc(char *string)
{
char foo[120];
char foofoo[239];

if (strlen(string) >119) return -1;
sprintf(foo, "%s", string);
strcpy(foofoo, string);
strcat(fooofoo, string);

return 0;
}

The point is that it is possible in many cases to do reasonable bounds checking on your own. To restrict use of common facilities because somebody -might- misuse them is just wrong. I believe in letting people shoot themselves in the foot so that they'll learn to make sure the gun isn't loaded the next time.

Re:Don't Do That

No, under win32 and Dos, the command just saves the output of a program to a file and then loads it back up again to the other app. Any unix programmer switching to Dos has noticed that disk space radically vanishes when using lots of pipes with large data sets. Hmm Wonder why.

Re:Don't Do That

[pqbon]

You actually can forge it if you can talk to the HW... You just need to put the charecters in the keyboard fifo...

Re:Don't Do That

[Tyreth]

I've never heard of sprintf() being insecure. If it is so dangerous why isn't there a warning in the man file recommending the use of snprintf()? That way at least people have a chance of seeing that it is insecure.

Re:Don't Do That

[shird]

The theory is a simple userspace program can't do that. It can generate key sequences etc, but not the actual hardware interrupt caused by the keyboard when that sequence is pressed. If you can access the keyboard HW programmatically, you most likely have more than 'guest' (or any other normal account) access to that machine. Of course, because your trying to trigger it rather than trap it, if you have access to the machine you can just press the keys yourself.

Re:Don't Do That

Nothing wrong with sprintf. You don't need sprintf to attack the stack. Just take the address of a stack variable and index or incremenet from there. You are whereever you want to be on the stack.

C wasn't designed to prevent a programmer from hanging himself. It's UNIX that was designed a machine from dying due to poorly behaving programs.

Not the case here with Win32 is the reports are to be beleived because the API can leak root privileges into a user program. Breaking credentials is a bug/poorly designed interface period.

Re:Don't Do That

Where Linux is rootable is very easily fixed. This flaw is all but unfixable with out a total redesign.

Re:Don't Do That

> Exactly! You could write a similarly flawed Linux application that someone could exploit to gain root access.

? I'm confused; please describe how can I write a Linux app so that while running it as an ordinary, nonpriviliged user, I can gain root access by sending carefully-crafted X Window messages to its GUI?..

Re:Don't Do That

I have had a computer for 12 years that I has never and will never be hacked or compromised. It hasn't had a hard drive or power supply for almost 10 years but still....

Re:Don't Do That

your an idiot. what part of its not a win32 api problem do you not undertsand? not only that but this so called exploit has been known for a long time. you have discovered nothing new but decided to write a paper on it? what a joke. i think i will now write a paper on codered and release codeblue. i guess you just wanted linked by /.?

Re:Don't Do That

[DunbarTheInept]

snprintf() isn't standard. I can't trust that it exists in any randomly chosen C environment. So you replace a theoretical future problem (128 bit ints) with a real existing problem today that renders the program uncompilable.) If that is a concern, use format-width specifiers for the values in the string, which is something that exists for both sprintf and snprintf. Truncating the string to 120 chars doesn't actually produce a usable result (it cuts off the last part of the string) if you are working with numbers large enough to need it.

So introducing snprintf doesn't fix a damn thing. It just destroys portability.

Re:Don't Do That

[DunbarTheInept]

if there is a real possibility of overflowing the 120 chars, then snprintf still isn't really a solution. It just prevents overflowed buffers, while letting the program happily continue under the delusion that it got the right result in the string.
If there really is a chance of overflow, then the length of the buffer has to be calculated and malloc'ed anyway for a correct result, whether dealing with sprintf of snprintf.

Re:Don't Do That

[pdion]

Well, with VNC you can send CTRL-ALT-DEL from a remote machine and use it to bring up login screens so in theory it should be possible. I've tested it only in Windows NT 4.0 Server but in theory it should work in Win2K.

Re:Don't Do That

[a_n_d_e_r_s]

From my manpage:

BUGS
Because sprintf and vsprintf assume an arbitrarily long string, callers must
be careful not to overflow the actual space; this is often impossible to
assure. Note that the length of the strings produced is locale-dependent and
difficult to predict. Use snprintf and vsnprintf instead (or asprintf and
vasprintf).

So yes people are warned about it.

Personnally I prefer Java.

Re:Don't Do That

[mabinogi]

from MSDN:

Named Pipes

A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. All instances of a named pipe share the same pipe name, but each instance has its own buffers and handles, and provides a separate conduit for client-server communication. The use of instances enables multiple pipe clients to use the same named pipe simultaneously.

Any process can access named pipes, subject to security checks, making named pipes an easy form of communication between related or unrelated processes. Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network.

Any process can act as both a server and a client, making peer-to-peer communication possible. As used here, the term pipe server refers to a process that creates a named pipe, and the term pipe client refers to a process that connects to an instance of a named pipe.

Re:Don't Do That

[Gossy]

It certainly does work on Win2K, there are loads of programs that'll let you send CTRL-ALT-DEL from another PC.

VNC,PCanwyhere...sub7..

Re:Don't Do That

[mabinogi]

>use a pipe. Oh wait, thats only available in linux...

or Solaris, or BSD, or Tru64, or AIX, or any other operating system that implements popen().

And Windows NT based operating systems have a related technology called Named Pipes, which work a bit more like local sockets, but can still be used to achieve the same goal.

Re:Don't Do That

[Tyreth]

Oops, my mistake sorry :) I had a quick look through, missed that bit.

Thanks.

Re:Don't Do That

[plaa]

Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

Actually, they warn about it for some functions. When compiling the following code:

#include &lt;stdio.h&gt;
int main(void) {
char buf[1000];
gets(buf);
printf("String:%s\n",buf);
return 0;
}

you get the warning

/tmp/cceHZ8M1.o: In function `main':
/tmp/cceHZ8M1.o(.text+0x14): the `gets' function is dangerous and should not be used.

even without the -Wall flag. It compiles, so it doesn't break anything, but warns that you're doing something stupid.

I guess the reason this isn't done for sprintf is that you can use that safely, as long as you make sure the buffer is long enough not to be able to overflow. gets() on the other hand is always dangerous.

I'm not sure whether there is any option to make it warn about sprintf also, but it would be simple to make a header that makes it impossible to use such functions. Of course, the coder must include that header/option to use the protection.

Re:Don't Do That

[Old+Wolf]

Well, some functions don't provide sanity checking and some do. The advantage of C is that you can select a function that runs as fast as possible (and isn't slowed down by bounds checks).

If you program in C then you MUST understand exactly what the upshot of each of your statements will be, otherwise you are liable to write insecure code.

sprintf() and strcpy() are useful sometimes, for example:

char buf1[16]; char buf2[16];
buf2[sizeof(buf2)-1] = '\0';
strcpy(buf1, buf2); /* or: sprintf(buf1, "%s", buf2); */

is perfectly safe. No possibility of error. It will run faster than if the third line were

strncpy(buf1, buf2, sizeof(buf1));

and much much faster than

snprintf(buf1, sizeof(buf1), "%s", buf2);

On the other hand, gets() has no possible secure usage that I can think of. Nevertheless it can be useful in learning C (if only as a way of introducing the topic of buffer overflows!)

Re:Don't Do That

You are such an idiot it is painful just to read your comment.

Re:Don't Do That

[dannannan]

The reason why this is a critical flaw in the Win32 API is because it means that in order for code to be secure it is essential that every existing piece of software be carefully checked to make sure it separates interface from back-end.

Nonsense. This is an elevation of privilege issue that can only occur when privileged code shares the same desktop as unprivileged code.

• If you're not writing service code, you're fine. No elevation of privilege risk. The majority of applications are unaffected.
• If you've written service code, don't set the SERVICE_INTERACTIVE_PROCESS flag when you call CreateService in your installer. The only actual review of your service code is a grep to make sure no one's calling SetProcessWindowStation and SetThreadDesktop in combination to sabotage your security. Hopefully your code doesn't need to call these at all!

D

Re:Don't Do That

explain yourself i expect a reason

Re:Don't Do That

[phavens]

> Windows is insecure. Linux is insecure. PROGRAMS are insecure.

It won't matter that there is a "sandbox" or system running "security bot" or any other piece of code that double checks (and slows down) processes. If the API's allow open communication between each other (And they have to) then there will be exploits. The difference between M$ and Open Source ways of securing it is that M$ and their cronies either ignore it or threaten to sue it away, while Open Source has enough people digging around that if an expoit appears (sometimes in a different program) it get's looke for quicker and sometimes a patch is out within hours. I've NEVER seen M$ do that. How many times have we seen variations on the same exploit "cropping up" in various M$ products and it seem as though they just fixed IE when it "shows up" in Windows Media.

HINT M$ if you code one way in one program, you probably code the same way in another program. Buffer Over runs can be trapped and blocked, and yetthey still show up. Linux has had the same show up, so it's not perfect... just fixed faster.

I've never see a system that didn't have expoits. And I've never seen a box that couldn't be "locked down" (even windows). The difference though is that with Linux it's possible to still be usable and be locked down. Not so with Windows.

Re:Don't Do That

[gorf]

...numerous windows...run as localsystem...

Of which software? Something that comes with Windows, other Microsoft software or third parties?

I haven't seen this mentioned anywhere. Yes, it's a serious bug in Windows because it lets you do that. But if Microsoft are doing it themselves then they can hardly yell vendor-issue, so if this is the case then it's far easier to claim that it's a serious Windows bug.

Re:Don't Do That

[phavens]

Another proof of it... Flaw opens door in Windows, Mac, Linux

The MIT Kerberos development team issued a warning and patch on its Web site.

Apple Computer confirmed that its Mac OS X operating system contains the vulnerability, which has been fixed through a recent security advisory, available through the software's automatic update mechanism.

Several sellers of Unix and Unix-like operating systems, including Red Hat, Debian, FreeBSD, Sun and NetBSD, said that their software was affected by the issue, and issued fixes. HP said it was investigating the bug's impact.

Microsoft said it is still investigating how Windows is affected by the problem.

The relevant patches are available from the companies' Web sites, or through the CERT advisory on its Web site.

EVERY Operating System will have exploits. It's all a matter on how it's addressed. M$ Still hasn't learned to patch & go. I use Win 98se, NT4, 2000, & XP (plus Mandrake 8 and SuSE 8) on a daily Basis. And the reboot on every other update (XP has gotten better but I love Linuxes ability to kill a service and restart a service without a reboot).

Re:Don't Do That

[cpeterso]

The gist of my rant was that GNU glibc should not worry about maintaining compatibility with DANGEROUS and BROKEN "standards". They can do better than the standards!

What about *other* resources?

[Tablizer]

GUI Windows are only part of the problem. Ideally, one should be able to limit the sections of disk and RAM that are used, and also how much disk and RAM are used.

Why fuss about just the GUI? There is more to applications and security than GUI's.

(It would be easier to clean off old apps if we could limit their installation range.)

Re:What about *other* resources?

[DunbarTheInept]

The fuss of the GUI is because the default handlers for the GUI WM_TIMER messages is exploitable. Using it one can cause the process attached to that GUI context to jump to any arbitrary instruction in its code. This bug occurs whenever a program has any GUI of any kind and doesn't override the default exploitable behaviour of this type of message that is *built in to Windows*. It's one thing to blame the app when the app added code that caused an exploit. It's something else entirely to blame the app when the app didn't add code to override the exploit in the default system it runs on top of.

Re:What about *other* resources?

[MadAhab]

Not a windoze programmer, eh? Windows and messages are central to the programming model. The number of exploitable progams is going to be either a) only insecurely written programs or b) at least one program on every computer or c) this guy really doesn't quite get it and is hyping something that's not commonly exploitable. I don't understand the attack well enough (yet) to know if it's c) or not, but i do know that there's no pragmatic difference between a) and b).

No kidding

With the gettext, sendmessage, memory and various other api calls you can do just about anything to other programs.

Then if you care to fire up your favorite hex editor...

Java?

i looked at the paper and i couldn't figure out what the opportunity for remote exploit is... can it be done from java? .NET? jscript? other network software?

Could be useful for the EverQuest-autobot crowd...

Seems like it could be useful for the autobot gaming crowd... EverQuest is certainly simple enough to automate...

Citrix?

[Ark42]

Does this effect Citrix? ...

Re:Citrix?

Yes. Here is a quote directly from the article...

Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that's a problem. Oh, and it doesn't require console access either - I've successfully executed these attacks against a Terminal Server a hundred miles away.

Re:Citrix?

[Ark42]

Mod this AC up for lazy bums like me who didnt read the article yet. (I will read it later when I have time, tonight..)

Re:Citrix?

I very much doubt it, but it might *affect* Citrix.

Re:Citrix?

[des09]

the article implies that the 'sploit works theoretically under citrix, and has been tested under terminal services.

Re:here we go

[turbine216]

The END of WINDOWS? Christ, could you pack just a little more apocalyptic FUD into that statement?

This "exploit" is hardly even an exploit - it requires the ability to run arbitrary code. And if just anybody can acquire the ability to run arbitrary code, then i would say the problem runs a bit deeper than msgsvr32.dll.

Here's something to chew on, zealot: use this exploit on my win2k server. I dare you. What? You can't get in? Oh, you mean the BASIC SECURITY FEATURES BUILT INTO THE OPERATING SYSTEM HAVE THWARTED THIS EXPLOIT BEFORE IT COULD EVEN GET OFF THE GROUND? That's what I thought.

Christ, your drivel is actually making me sick. Do you actually believe what you just wrote?

Evolving Concepts at Microsoft are Frightening

[guttentag]

We're doing this thing called "Trustworthy Computing." It's an evolving concept.

It starts out meaning "We are worthy of your trust."

Then it evolves to mean "You trust us."

Then it evolves to mean "You trust only us."

Then it evolves to mean "All your base are belong to us."

Re:Evolving Concepts at Microsoft are Frightening

[rseuhs]

Actually, the most important part of Microsoft-trustworthy computing is:

"We don't trust you."

Re:here we go

[joshsisk]

I'll bet you $100 that this is not the "end of Windows". Seriously.

I'd be happy to lose this bet... But I doubt I will.

Re:here we go

[laserjet]

Does your mouth hurt? You just got trolled.

You must be incompetent.

I'm sorry, nothing personal here. But 26 reboots? I know serious Linux users here can't take you too seriously but I also know there are some young impressionable minds here.
Here is some advice kids: When you come across any computer "expert" who has a computer they have to reboot 26 times in a day. Run!!!
And here is a real-life experience from someone (me) who makes his living developing on Windows:
I've used Win2k Pro since the day I bought it over 2 years ago. I've rebooted because of a crash or a freeze maybe 10 or 12 times in that time frame. I've had to reinstall the system once. I can say with some confidence that 99% of my reboots are caused by badly designed third party drivers.

Re:9/11 related Easter Egg on orbitz.com

hmm. where? i don't see it.

Re:here we go

[Helter]

Windows 98 allowed any user with console access to operate as root for years... Now you think an obscure exploit that has been around for over 10 years is going to cause the downfall of windows?

Excuse my extreme skepticism.

Re:here we go

[Rick+the+Red]

Even if M$ could take all of its employees off the Office, X-Box, and every other project, and put them to work on a new OS, it would be months before it could be released, and more months before there were any applications for it.

Microsoft isn't stupid. Even they know the best way to kill a project is to put too many people on it. The solution to your supposed problem (it's not as bad as everyone here hopes, and does not require Microsoft to write a new OS from scratch) would be to put together a cross-functional team to develop a new OS architecture, then spec the new APIs for that new OS. Then you bring in the Office guys, and have them write a version of Office for the new APIs, while you have the Windows guys (or whoever) write the new OS. But it'll never happen, because there's no need to do it.

It's not even this hard

[leshert]

If you have physical access to the box, there are n ways to get your code executed in a Windows app. WM_TIMER (the callback version) is one, as are window hooking, CBT hooks (computer-based-training, although I've never seen it used for this purpose) forcible DLL loading (if you have access to the Registry), debug process attachment, CreateRemoteThread, thunking well-known DLLs (which is why Red Alert 1 won't play on Win2K without a patch--they can't thunk kernel32), etc., etc., etc.

Windows programmers have been using these methods for non-evil reasons for many years--the "3D look" of MS Office apps before Windows 95 was done this way.

The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text. Well, no kidding, they weren't designed to be secure, so they're not.

And like the case of telnet, making a secure but still 100% backwards compatible solution is pretty much impossible, as the article states.

Re:It's not even this hard

[herwin]

Hmm... WinNT was supposedly C2 when running on a special hardware configuration that blocked the usual vulnerabilities. Of course, it was supposed to be isolated from network access, but that allowed it to be used by J Random Luser without the crown jewels being vulnerable to an exploit. Looks like it might not have been that good.

How does the new Mac look?

Re:It's not even this hard

WinNT was supposedly C2 when running on a special hardware configuration that blocked the usual vulnerabilities

Yeah. No network. No keyboard. No mouse. No monitor. Turned off.

You can set up a totally secure W2K box

Re:It's not even this hard

[NanoGator]

"The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text."

Oh I agree. I don't think fixing this would provide much 'security' anyway. The main reason that Windows gets beat up by trojans is not so much flaws in the system, but clever ways of executing features in malicious ways. The problem is never ending. The more features you add to any product (not just computers), the more ways you have of exploiting them in a negative way.

Look at Slashdot. Lots of steps (such as filtering the HTML...) are taken to keep trolling to a minimum. But, they still get through. As a matter of fact, somebody recently posted the Goatse pic in ascii. Heh.

The best approach you can take towards 'security' is to make the worst case scenario cause minimal damage. That's essentially what Slashdot has done with the karma system. People are always going to come up with amusing ways to use /. in a way that they shouldn't, but at least moderations help keep the noise level down and filterable. Frankly, I think this is a much better approach than trying to 'secure' Slashdot by trying to write an 'ascii-art detection algorithm'. (That's just an example, don't beat me up over it.)

In an ideal world posting a rule saying 'Dont post notti pictures' would be the end of it. In the real world, people think the problem should be solved by making the system incapable of displaying notti pictures. The best thing to do is to make the display of 'notti' pictures as unthreatening as possible.

Re:It's not even this hard

[Nynaeve]

CBT hooks are extremely useful. For those who may be interested, here is some example code

Re:here we go

Did you even read the article? It's only a threat if the user a. either runs a program that comprimises root security, or b. someone is physically at the computer using guest privaleges to get to root.

How many normal families have secretive and technically savey hacker hanging around their homes, waiting for the opportunity to take over their home XP system. Give me a break.

You know who this effects? Practically no one, or maybe the stupid. Worst case scenario is that government computers are at risk, but only if the hacker is physically present to take over.

"Most of the Windows base will have been compromised"? By who? Someone breaking into people's homes, door to door, to gain root access to their home computers! Oh no, the humanity!

And finally "Welcome to the world without Windows" has to be the most karma-whoring, better-than-thou comment I have ever read.

Windows isn't really a multiuser OS

[adam_megacz]

Awesome exploit, props to Foon.

I think that the larger picture here is simply that Windows (even NT derivitaves) isn't really a multiuser OS. The kernel is technically multiuser-capable, but just about every other part of the OS has been designed by lazy programmers with the assumption that there is only one user on the system, and Microsoft isn't interested/able to go through the effort to remove that assumption.

The lack of ubiquitous remote shell / remote gui on Win32 is the main reason that this assumption has gone unchallenged for so long. Unix ships with the ability to have multiple users simultaneously logged in remotely by default, which is why it's been so well tested for stuff like this.

Re:Windows isn't really a multiuser OS

Windows can do this. It's called Terminal Services for NT Server.

Re:here we go

I can see the idiot lobby is well funded.

Yes, but who's fault is it? Not MS'!

[Otis_INF]

When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

Now, under win32, the application you start, runs under the user you log in with. The virusscanner window in the example, SHOULD run under the user that is logged in, but instead, it's a GUI created from the service, running under 'System'.

Bad programming. Not from Microsoft, but from the Virusscanner developer. They should have created, AS stated by MS, a GUI less service (the virusscanner engine) and a GUI application which talks to that service via a named pipe or any other process communication mechanism. That GUI should then be started by the logged in user (since that user sees the gui and works with it), so there wouldn't have been ANY flaw like this, since the GUI isn't ran under 'System', but under the user who's logged in, in the example the 'guest' account.

It sounds serious, it's absolutely nothing.

Oh, and it takes a local user to exploit it. Get a huge hammer and give it to the local user. Ask that user to smash the computer. There ya go, a DoD attack which isn't fixable, you can get that attack-script at any hardwarestore.

Re:Yes, but who's fault is it? Not MS'!

[MORTAR_COMBAT!]

you're trying to say that a normal user can't bring up any MS-owned windows that run as system? you've gone through every app that MS ships, and all the dialog boxes, and none of them run as system?

Re:Yes, but who's fault is it? Not MS'!

[jasen666]

Log onto your w2k box as "guest". Open the "computer management" window. Go down to users and attempt to add a new one. The dialog opens up. Yes, even guests can at least open the dialog. This dialog runs as system. I can use this exploit now. Thank you.

Re:Yes, but who's fault is it? Not MS'!

Yep. That's what's being said.

It's actually not the giant task you make it out to be. Very few programs run with elevated priviledges so you can immediately discard all the ones that don't. Then, you see if any of the programs with elevated priviledges accepts UI messages. Since this is done in a standardized way, it's pretty easy to check.

This is a vulnerability that's been known for years so everything that people use has been looked over.

Re:Yes, but who's fault is it? Not MS'!

[IWasNotMe]

I'm not sure how you determined this, but on my computer the "New User" window on my system is put up by mmc.exe, which is being run by me.

I verified this using Spy++ (from Visual C++) and Proccess Explorer (www.sysinternals.com).

Re:Yes, but who's fault is it? Not MS'!

[Doomdark]

that service listens to a port and executes all the crap that is posted to that port, is it MS' fault?

One more commenter who didn't even read the article aren't you? The exploit doesn't require app to blindly trust the user. App unfortunately does trust Windows API not to do stupid stunts like allowing certain messages (that may or may not originate from another app -- there's no way to tell either way!) to get to execute stuff without app having a clue as to what hit it. It's like opening a socket for doing basic network communication and Windows API allowing certain pre-determined 'helper' messages to be handled by OS before your app has any say to handling.

You are of course right about UI separation part -- as long as Microsoft really has made it totally clear that's what has to be done, for the security reasons article explains.

And as to needing a local user... yes. It's not a perfect remote hack. But that hardly invalidates the claim this is a serious issue, esp. for certain applications.

Re:Yes, but who's fault is it? Not MS'!

You're talking out your ass. When you open Computer Management, the process (mmc.exe) is run as the user not system.

Re:Yes, but who's fault is it? Not MS'!

[DevNull+Ogre]

Did you read the whitepaper? He explicitly states that the default Windows desktop includes windows with elevated privs. Microsoft stumbles over this too.

Re:Yes, but who's fault is it? Not MS'!

[rseuhs]

Everytime some issue surfaces on Windows, numerous MSFT-shareholders ^W -supporters come out of the woodwork and scream "It's not MSFT's fault! It's not MSFT's fault!"

First, why should *anybody* care whose fault it is? This reminds me of the Code-Red fiasco. The Windows-shills are not interested in solutions, the only thing they are interested in is that their sacred, worshipped Microsoft is not blamed. (Pretty good illustrated by the "smash computer with huge hammer" - exploit.)

Second, if Win32 is the only affected platform, maybe, just maybe it's MSFT's fault after all. But (see above) it's irrelevant whose fault it is. It's obviously a Win32 problem and a very good reason not to run a Win32-platform, no matter if Microsoft, evil hackers, CowboyNeal or the bad weather is to be blamed.

Re:Yes, but who's fault is it? Not MS'!

[t0ny]

Your asking him to prove a negative, which is logically impossible. If you want to prove your point (ie. that this exploit can take over an MS app), then you need to get your head out of the slashdot forums and dig up proof. Its pretty lazy to ask him to do your work for you.

Re:Yes, but who's fault is it? Not MS'!

[t0ny]

Not only that, but "Guest" is disabled by default. Smells like teen troll.

Re:Yes, but who's fault is it? Not MS'!

[t0ny]

So if someone figures out a major Linux exploit (which is about as likely as a MS exploit, contrary to the propaganda machine around here), then its Linus's fault? In this case, the guy is specifically taking advantage of sloppily coded third party apps. MS doesnt make a dime off someone buying MacAffee Virusscan 4.5.1 (the example cited in the article). So how is this possibly a MS problem? Tow tow tow that linux party line...

Re:Yes, but who's fault is it? Not MS'!

First, why should *anybody* care whose fault it is? This reminds me of the Code-Red fiasco. The Windows-shills are not interested in solutions, the only thing they are interested in is that their sacred, worshipped Microsoft is not blamed. (Pretty good illustrated by the "smash computer with huge hammer" - exploit.)

No, we're interested in blaming the right person so that the problem is fixed correctly. To use your Code Red example, if Microsoft releases a fix and nobody installs it, who is to blame when a malicious worm wreaks havoc? Granted, the vulnerability shouldn't have been there to begin with. But you can't blame MS when the shitty admins are really at fault for not installing the patch. That's not shilling for MS. It's just goddamned common sense.

Second, if Win32 is the only affected platform, maybe, just maybe it's MSFT's fault after all. But (see above) it's irrelevant whose fault it is. It's obviously a Win32 problem and a very good reason not to run a Win32-platform, no matter if Microsoft, evil hackers, CowboyNeal or the bad weather is to be blamed.

First, how do we know it's just a Windows problem? What about MacOS? How does it work in this respect (seriously)? Given that MacOS was left out completely even though it is probably on more client desktops than any X Windowing based system suggests that this is not a helpful warning but just another "Windows bad, Linux good" propaganda piece disguised as such. Second, even if it is a problem that only affects Windows, it still isn't a good reason not to run Windows. The examples that the author uses require more knowledge and computer competence than the average user has. The type of person that would have the required competence is either working in the company's IT department and already has elevated privileges, or is some complete stranger who would have to gain access to company facilities and an active account before he could attempt this. Not impossible, but highly unlikely.

I actually agree with your main point about not worrying about fault and just fixing the problem. Maybe you should have stuck with it instead of launching into an anti-MS diatribe.

Re:Yes, but who's fault is it? Not MS'!

[Jerry]

it sounds serious, it's absolutely nothing.

Which is exactly why MS boxes get hammered over and over and over, or they act as platforms for DoS attacks over and over and over.

It's not the drunk's fault, someone keeps putting curves in the road.

Re:Yes, but who's fault is it? Not MS'!

numerous MSFT-shareholders ^W -supporters come out of the woodwork and scream "It's not MSFT's fault! It's not MSFT's fault!

Yet, even a cursory count of OS and application bugs & security holes and bandwidth threatening exploits shows the problems focus almost entirely on WinXX and MS apps. But, the microsurfties continue to pray toward Redmond and send their tithes, which has increased significantly since License 6.

Re:Yes, but who's fault is it? Not MS'!

[Jerry]

So if someone figures out a major Linux exploit (which is about as likely as a MS exploit, contrary to the propaganda machine around here),...

Actually, on a pro-rated basis (exploits vs platform count), MS exploits occur at a rate 9 times more frequently than Linux exploits. Linux exploits make news because of their relative rarity. Remember the 'cross platform' jpg bug that was supposed to be a big threat to Linux? That was laughable, but it made news (or was hyped by anti-virus companies) because of the possibility that it would infect a Linux platform. Put another way, Linux infections would have to occure nine times more frequently than to do to reach the same relative level of infections achieved by WinXX platforms.

Re:Yes, but who's fault is it? Not MS'!

I've often wondered why someone who is so in love with Windows would spend all their time astroturfing an OpenSource/GPL watering hole?

I've concluded that those who do so are in a debate with themselves trying to talk themselves out of switching to Linux. The longer you continue to vist and astroturf the more likely you will loose the debate.

Re:Yes, but who's fault is it? Not MS'!

The virus scaners, sql server, iis, etc. all run the same way. Unsecured and as a source of openings. The other companies who make these fine MS product were taught by MS how to do this. You mention that it is nothing serious. There is the difference between a MSers vs. a true production person (read as mainframe, supercomputer,Unix, BSD/Mac, and Linux). In the other world, upgradeing of privaleges is either impossible or near impossible, by design.

Re:Yes, but who's fault is it? Not MS'!

[Tony-A]

So if someone figures out a major Linux exploit (which is about as likely as a MS exploit
Actually minor Linux exploits seem to be less likely than major Microsoft Windows exploits. Or maybe the Linux exploits seem to fizzle out and accomplish little or nothing.
Party line on /. "He don't know us do he?"
In this case, the guy is specifically taking advantage of sloppily coded third party apps.
Remove the sloppily coded third pary apps, and what is left?

Re:Yes, but who's fault is it? Not MS'!

[Tony-A]

But you can't blame MS when the shitty admins are really at fault for not installing the patch.
Oh, but I can and do blame Microsoft.
It took three days after the outbread for a search for CODE RED to return any results from microsoft.com. If Microsoft were minimally concerned about security, results would have shown up much more quickly.
I can, from my Microsoft Windows NT workstation, download the current RedHat fixes. From priority.redhat.com if I'm interested enough to login, or from redhat, or from the mirrors. These all tend to be rather informative as to just what is in the fixes, so I can make informed decisions as to what to download and what to install. I haven't tried the other way round, but I'd be rather surprised if it would work.
Personal Web Server is hardly advertised as requiring skilled administrators to install, set-up and maintain.

Re:Yes, but who's fault is it? Not MS'!

[cookd]

Nah. I hang out here because I like the nifty green color.

Actually, I get halfway decent news summaries as well as some entertaining comments. I also like to fill in missing points in the conversation -- make myself heard if somebody says something that is factually wrong, or misses a detail or idea that I consider important. And once in a blue moon, there is some reasonable Microsoft bashing, and I find it worthwhile to find out about (and comment on) things that Microsoft isn't doing well.

But far more often, there is unreasonable knee-jerk Microsoft bashing. It isn't well thought out, it ignores important facts, and it sounds like meaningless propaganda to me. (Microsoft does the propaganda stuff too, in the other direction.) When I see uninformed arguments, I want to tell people to save it for a more significant problem. If the Linux community is constantly yelling about Microsoft this and Microsoft that, and if they are picking at nits 95% of the time, nobody will pay attention during the 5% of the time there is actually something worthwhile to say. You get tuned out. You sound like idiots to people who actually know what is going on. And those are the ones that you really need in your camp if Linux is going to go anywhere.

So I like to make comments in Microsoft's favor when the Slashdot crowd runs wildly off a cliff (IMHO). I'll make my voice heard, if possible, when I see a prejudiced viewpoint on Slashdot. Likewise, when (not if) Microsoft makes legitimately stupid mistakes, I'll post something if I see something else that needs to be said.

If you really want a one-sided forum, I suppose all us "Microsoft Lovers" could leave. But forums with only one side represented don't go anywhere.

Re:Yes, but who's fault is it? Not MS'!

[Ignavus+Anonymous]

Actually, on a pro-rated basis (exploits vs platform count), MS exploits occur at a rate 9 times more frequently than Linux exploits. Linux exploits make news because of their relative rarity

Hm, compare this to the installed user base. Are there 9 times as many windows users as lunix users? or more? how many sploits would there be if everone was running lunix/sendmail/bind/apache/php?

Re:Yes, but who's fault is it? Not MS'!

[The-Forge]

I hate to burst your bubble. BUT, the guest account is DISABLED by default in Win2k & XP. If the machine is domain bound, then the netadmin would have to be a freaking idiot to reenable it.

Re:Yes, but who's fault is it? Not MS'!

[jonelf]

>Oh, and it takes a local user to exploit it.

Ever heard of Windows Terminal Server? I guess this could be a huge problem in that kind of environment.

Also I sincerely hope that it's not possible to send Win32 event with JavaScript.

Re:Yes, but who's fault is it? Not MS'!

You can and should disable guest accounts.
I disable the guest accounts on my machines, how can you start anything if you can't log on?

Re:Yes, but who's fault is it? Not MS'!

[japhmi]

First, it was said:
on a pro-rated basis (exploits vs platform count)

Then, it was replied to:
Are there 9 times as many windows users as lunix users? or more?

I believe this is what is meant by 'on a pro-rated basis' that the # of users is taken into account.

Of course, one would assume that there is a 'critical mass' of users that are required to find most bugs - after all, when was the last time a windows bug affected one person! Besides, one could argue that Linux/BSD/other *nix users are more likely to go poking around their computers and find problems than your typical Windows buisness user.

Re:Yes, but who's fault is it? Not MS'!

[Denny]

If I've read the original post correctly, it IS comparing it to the installed base - that's what is meant by "exploit vs platform count".

Regards,
Denny

Re:Yes, but who's fault is it? Not MS'!

[MORTAR_COMBAT!]

i'll have to remember that when the next discussion of God's existence comes up. also, he was the one making positive statements (this is not MS fault) meaning, if that's the statement he wants to make, burden of proof, logical or otherwise, is on him.

Re:Yes, but who's fault is it? Not MS'!

[Ignavus+Anonymous]

Please tell me where these figures can be verified. If 99% of the computer users use Windows and 1% uses linux, and there is a 9:1 exploit, statistically, Windows is safer.

Mirror

[notfancy]

FWIW, mirror at http://paginar.net/matias/shatter.html.

no, no.....

[Lord_Slepnir]

Their EULA reads "Essentially, you will allow us to take control of any window on your desktop." Glad I could clear that up.

One point he really missed...

[billbaggins]

...You could flood an [X] application with fake messages and see how it responds; you could send it corrupt messages and see how it responds. Chances are, it would cope just fine, since it'll choose what to do with the messages and process the flood one at a time.

Someone tried this... sorry, I have no idea what the link is, but I think it was on Slashdot a few months ago. Generate a bunch of random Xor Win32 messages, maybe well-formed, maybe not, and fire them at the app of your choice. Most apps on both platforms died quickly and spectacularly.

Re:One point he really missed...

[kawika]

That program was called fuzz. A pretty cool idea, maybe someone should send the link to Mcafee.

Re:One point he really missed...

[billbaggins]

Yay! Thank you :-)

/me twiddles thumbs to wait for 20-second cooling-off period imposed by slashcode... learn something new about this site every day...

High opinion

[timothy_m_smith]

Here is what the author had to say about himself at the end of the paper:

Foon, AKA Chris Paget, first started programming on a ZX81 at the age of 4. He's been working with computers for longer than most of the bosses he's had. After extending a BBC B to include an ADC capable of filling the machine's memory in less than 2 seconds and scaring the cleaners with automated voice warnings when they entered his room, he got bored and moved onto PC's and Windows, where the majority of his skills lie. Able to program in 23 languages on 14 platforms, Foon takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant - his CV is available on request.

Aren't we the most important programmer ever!

Re:High opinion

He also has never talked to, nevermind had sex with, a woman. He finds that he has trouble making friends, partially because of his inability to talk about anything besides the 23 languages and 14 platforms he can program for, and the onion-like smell which lingers behind is unshaven, rarely cleaned body. In order to make up for his indescribably small penis, Chris brings up debate in favor of technologies to boost his ego such as functional programming, UNIX, and any one of the 23 languages on 14 platforms already mentioned twice before that he can program for and you can't.

Re:High opinion

Aren't we a judgemental biblefucker?

Re:High opinion

You're calling someone on slashdot judgemental?

Re:High opinion

[greygent]

This poster finds it narcissistic and silly that the author wrote about herself in the 3rd person.

Re:High opinion

[Skyshadow]

I think I know this guy -- he was the one who hopeless dweebs like myself looked down on as "uncool" in high school.

Re:High opinion

[Junks+Jerzey]

Foon, AKA Chris Paget,

Stop right there. People who refer to themselves by goofy handles...well, I don't think I need to explain this.

Re:High opinion

[One+Louder]

Foon takes an average of 3 days to learn a new programming language.

I'd like to see him do that with APL, Lisp or Prolog.

Re:High opinion

[GoatEnigma]

For such a good programmer it would be worthwhile to invest in some technical writing courses. This paper was the most un-professional thing I've ever seen. While his points are good, it is better to make an impact professionally if you want the discovery to be taken seriously.

Employer: Can I see some examples of your writing?

Chris: Uh...no.

Employer: Why?

Chris: Well someone just recently told me that arrogance was bad, and you shouldn't use sentences like Fun, huh? and Silly, silly, silly..., and (Hell, overwrite the heap. Who's gonna care?)

Employer: Hmm...I can see now why you're a freelancer.

Re:High opinion

[topham]

Actually, the conversational manner of his Paper is a nice change from the typicly dry articles of the same nature from other sources.

Oh yeah, and it fits well with his target audience.

Or did you miss that part of writting? You know the part about "understanding your audience"?

Re:High opinion

[edremy]

Forget those, try Intercal

Re:High opinion

i'm going to go out on a limb and guess that you meant to type "writing" while you were defending the poor, juvenile style of _writing_ in this 'paper'.

Re:High opinion

Master, I kneel before you.

Re:High opinion

[Graspee_Leemoor]

" Here is what the author had to say about himself at the end of the paper:"

And here's what his photo says about him:

I live in rented accomodation.
I never wash my dishes.
I have a stupid ponytail
I live alone
Where I live is not big enough for my needs.
I have deep-seated feelings of self-doubt.

Heh, just call me Sherlock Leemoor....

graspee

Re:High opinion

[PissingInTheWind]

Intercal is for wimp, try unlambda.

;-)

Re:High opinion

Please. Calling someone on Slashdot judgemental is like calling someone in a porno "naked".

Re:High opinion

Of course, of those 23 languages, we have BASIC, QBASIC, True BASIC, the ever-useless COBOL, and SNOBOL (his other nickname).

Re:High opinion

"...takes an average of 3 days to learn a new programming language..."

Bull. Just plain Bull.

Re:High opinion

[jefu]

Here's a challenge. Learn Haskell, enough to be minimally productive, at least in three days. (Or for that matter J or APL).

Re:High opinion

[McCart42]

I'm guessing that he was trying to be sarcastic but it came out horribly wrong. Probably because he wasn't over the top far enough.

Re:High opinion

[Corrado]

ulambda is for lusers, try brainfuck!

Re:High opinion

[Salamander]

23 languages on 14 platforms? That's odd. As recently as 6 July 2001 Mr. Paget was posting a position-wanted ad on SecurityFocus, describing his language/platform knowledge as follows:

I am fluent (if a little rusty) in many programming languages (C, C++, Delphi, VB, VBScript, various assemblers), and I am keen to broaden my skills, specificially [sic] to include Unix and x86 assembler...my Unix knowledge is far from brilliant

One can only wonder which 23 languages and 14 platforms he knows, if several of the most important ones are notable by their absence or explicit disclaimer. Of course, he never tires of telling us he's a fast learner. Maybe he has filled in some of those gaping holes in his basic computer knowledge in the last year and a bit.

Re:High opinion

Forth anyone!
Even people who can read it can't understand someone elses programs in it, or their own three days after they finish it.
The most confusing gibberish I ever tried to do.

Re:High opinion

[zCyl]

the conversational manner of his Paper is a nice change

If you want people to believe you are authoritative, you must speak like an authority. That's just a fact of human nature.

Re:High opinion

"...takes an average of 3 days to learn a new programming language..."

Bull. Just plain Bull.

While he was being arrogant in his statement and clearly bragging, there's really nothing abnormal about it. If you start a person programming at a very young age, in the time period when the brain is still rapidly growing neurons for the processing of natural languages, then later in life that person can typically pick up new programming languages in a couple days. And not just hello world, I mean effectively pick up those languages.

This is a repeatable result, try it on your own children.

Re:High opinion

[stor]

Heh, I can't help imitating C3POs voice when reading that.

Cheers
Stor

Re:High opinion

Hey, it only takes him 3 days to learn a new language, giving him plenty of time to pick up the 15 or so languages he's missing.

Re:High opinion

[topham]

Funny, I thought the facts presented dealt with that issue. Without putting me to sleep.

I've read a lot of dull papers and publications because of attitudes like that.

Or, atleast tried to...

Re:High opinion

[_Splat]

malbolge.

Re:High opinion

Yeah, we gotcha, "Junks"

Re:High opinion

[Tony-A]

If you want people to believe you are authoritative, you must speak like an authority.
That works if the audience is non-authoritative. They don't understand what you're saying and depend on your authoritativeness to assess your credibility.
If your audience is authoritative, the same authoritativeness is more likely to stir up hostility. Assuming the problem is real, it's surly not the only, and probably not the worst, unfixable flaw in Microsoft Windows.

Re:High opinion

POKEY RULES

Re:High opinion

Considering he posted that ad about 386 days ago, I'd hope that by now he's learned the 128.666666666667 programming languages that he claims he has the potential for.

Re:High opinion

[PissingInTheWind]

You win. It's just... just... too evil for me.

Microsoft has done something about it...

[the_skywise]

It's true that once you're logged into a desktop, all apps that respond to Windows messages within that desktop are vulnerable, there are ways to secure your app from that.

Beginning with Windows 2000 (and possibly later editions of NT4), THE desktop became "Desktops" and they all run in their own space with their own Windows messaging stacks. "Desktops" cannot request window handles from other "Desktops" so this exploit is stopped. All Screensavers will be spawned into their own desktop, so that they can't affect running apps.
All apps can be set to run in their own "Desktop" as well. But it has to be proactively designed that way IN THE PROGRAM. The operation is not by default, and users cannot specify that apps run in their own space. (AFAIK)

Secondly, the documentation for making use of this feature doing so is (as usual) very fuzzy and poorly written.

It is also still possible to develop a ring 0 DLL which can query the existing desktops, get the desktop handles, and then query windows from within them.

Re:Microsoft has done something about it...

[JoeF]

"Desktops" cannot request window handles from other "Desktops" so this exploit is stopped.
All Screensavers will be spawned into their own desktop, so that they can't affect running apps.

Not quite. At least on NT4, it is possible to enumerate desktops, and to send messages to programs in other desktops. I have done that myself in a screensaver I wrote.

a waste of time?

[bojan]

Hmmm, another post about how Windows is lacking this and lacking that, and how it has this and has that.

Yet there's alot more that can be done for GNU/Linux itself which it doesn't have...

article was a waste of my time.

I didn't expect a Spanish Inquisition!

[ducks]

Re:I didn't expect a Spanish Inquisition!

[Warped-Reality]

NOBODY EXPECTS THE SPANISH INQUISITION!

Our chief weapon is surprise...surprise and fear...fear and surprise.... Our two weapons are fear and surprise...and ruthless efficiency.... Our *three* weapons are fear, surprise, and ruthless efficiency...and an almost fanatical devotion to the Pope.... Our *four*...no... *Amongst* our weapons.... Amongst our weaponry...are such elements as fear, surprise.... I'll come in again.

White hats

[Grey+Brick]

it is about time the white hat community saw what is actually possible.

I think the white hats have always known Windows is insecure. Maybe they all work for Microsoft :-)

Too bad this doesn't apply to Windows 2000 and on

[The_Rippa]

These API exploits only work on pre-2000 versions. Try again Slashdot.

VIRUS???!!

Unpacked the zip and my Norton Antivirus prog just yelled
Object name: sploit.bin
Virus Name: W32.Beavuh

Is it infected or is the antivirusprog fucked up?

ASP providers

What does this mean for ASP providers?

Window "shattering" utilities

Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages.

Without this "flaw", programs such as RtvReco which automate closing dialogs and sending text, etc., would not exist. In fact, 4 years ago (gosh, its been a long time), at the curious age of 12, I wrote an extensive software suite to mess around with other applications' windows. Since then others have caught on -- Password Revealer, anyone?

I can't share my work because of bandwidth problems, but it was indeed groundbreaking. Through raw HWND handles or Microsoft's (or my own version) of the WinFinder control found in Spy++, one is able to select any existing window in the system. Arbitrary messages can be sent or posted. One can draw pixels over windows, enable disabled controls (as often found in shareware), send text to edit controls (I developed a simple scripting language to automate this process), right/left/middle/double click at any position (useful in closing annoying dialogs, like the dialup reconnection message for those on 56k), and even move or kill any window one choses.

As for the vulnerability itself...its well worth the read. Basically, shellcode is injected into an edit box by removing the CEdit's length restrictions. This is a valuable lesson to all Windows programmers out there -- do not rely on a control's restrictions to validate data! Its as dangerous as using JavaScript to validate web forms. Always in all cases check for buffer limits in the application code.

Of course, not all flaws can be blamed on the application developer:

The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly...

I've only skimmed the article, but this is the first documented exploit I've heard of in my half a decade of Windows programming. But its worth mentioning that these fundamental flaws have existed since Windows 95, and Foon is correct in that there's absolutely nothing Microsoft can do about it, except ditch the current Win32 API and start anew. Guess we'll have to wait until Longhorn. -sr

Re:Window "shattering" utilities

"...As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly..."
Wrong.

Re:Window "shattering" utilities

[rabidcow]

If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it.

Eh? But that's just not true, see the Remarks section of the docs for SetTimer:

An application can process WM_TIMER messages by including a WM_TIMER case statement in the window procedure or by specifying a TimerProc callback function when creating the timer. When you specify a TimerProc callback function, the default window procedure calls the callback function when it processes WM_TIMER. Therefore, you need to dispatch messages in the calling thread, even when you use TimerProc instead of processing WM_TIMER.

Of course, most programs will pass the message on to the default window proc if it's not specifically something it's looking for.

New Theme Song

[Sandlund]

Shattered Windows? Nick Lowe's "I Love the Sound of Breaking Glass" comes to mind -- perhaps it could be RedHat's first theme if/when it finally creates TV ads:

I love the sound of breaking glass
Especially when I'm lonely
I need the noises of destruction
When there's nothing new
Oh nothing new, sound of breaking glass

I love the sound of breaking glass
Deep into the night
I love the sound of its condition
Flying all around
Oh all around, sound of breaking glass

Re:New Theme Song

[bbc22405]

Or maybe "Walking on Broken Glass", by Annie Lennox, off the album Diva:

You were the sweetest thing that I ever knew
But I don't care for sugar honey if I can't have you
Since you've abandoned me
My whole life has crashed
Won't you pick the pieces up
'Cause it feels just like I'm walking on broken glass

Walking on walking on broken glass

The sun's still shining in the big blue sky
But it don't mean nothing to me
Oh let the rain come down
Let the wind blow through me
I'm living in an empty room
With all the windows smashed
And I've got so little left to lose
That it feels just like I'm walking on broken glass

Walking on walking on broken glass

And if you're trying to cut me down
You know that I might bleed
Cause if you're trying to cut me down
I know that you'll succeed
And if you want to hurt me
There's nothing left to fear
Cause if you want to hurt me
You're doing really well my dear

Now everyone of us was made to suffer
Everyone of us was made to weep
But we've been hurting one another
And now the pain has cut too deep...
So take me from the wreckage
Save me from the blast
Lift me up and take me back
Don't let me keep on walking...
Walking on broken glass

Walking on walking on broken glass

Someone might want to mirror that site right quick

[jayhawk88]

Before the lawyers get wind of it that is.

Re:9/11 related Easter Egg on orbitz.com

[TQBrady]

What kind of sick asshole are you? I am assuming there isn't even an Easter Egg, as Orbitz would be making a RIDICULOUS mistake to do such a thing. You just think it would be funny for a few hundred people to look up flights for that date this year. Pathetic

So let's see if I've got this right...

[Mustang+Matt]

Someone high up at Microsoft is mapping a drive across the net on their XP powered laptop.

A theif grabs the laptop and takes it home, logs in as guest, gives himself administrator access, dials into the private microsoft dialup account using the saved dialup networking profile and then has access to the mapped drive and what else? VisualSourceSafe? Microsoft Passport backend?

I feel safe...

Re:So let's see if I've got this right...

unless you are planning on stalking M$ execs, i wouldn't loose too much sleep over it..;)

Re:So let's see if I've got this right...

[TurdFurgeson]

how about someone breaks into your house and steals your elite high security linux file server. they find loads of kiddy porn while digging through the disk at thier leisure. you get ultimatly arrested and sent to jail... obviously a security problem with the insecure linux box... or at least that is what you would be preaching to bubba... hehe

Re:So let's see if I've got this right...

[0x0d0a]

You mean the high security linux file server with an encrypted loopback filesystem preventing the exploit you're describing?

They did it on purpose, I knew it. ;D

[jointm1k]

From the CNET interview:

[quote] The second thing is the Palladium model, which is a couple years off, will require hardware with a different chipset. You know, a security chip. While it works side by side with Windows, it won't replace Windows. It will enable all sorts of things for both consumers and businesses. For example, you will have "trusted agents"--pieces of code that are signed by people you trust. This is a good thing because it can eliminate a lot of viruses. So if you get code and it's not from anyone you trust, you can choose to not run it.[/quote]

Call me paranoid, but is he (Scott Charney) actually saying Microsoft dellibritely created a environment in which virii thrive so they could justify the Palladium platform? I mean, he is implying that you can not choose to NOT run virri on current systems. (Well ofcourse there are the alternative office and email programs, but still ...)

How do you think VBA works? Duh

[Ozor]

To use VBA and send information between applications is the main reason it is setup this way. Want to write a program that populates a database with data generated by say Autocad.. Anyone who knows anything about programming windows already know this.

Re:How do you think VBA works? Duh

> To use VBA and send information between applications is the main reason it is setup this way. Want to write a program that populates a database with data generated by say Autocad.. Anyone who knows anything about programming windows already know this.

Sockets and named pipes already exist; why use interprocess (and insecure) windows msgs?..

Executing untrusted code

[alext]

...which is one reason why secured platforms like Java and Dotnet are so important to the future of IT.

(The other is the availability of cross [hardware] platform applications - and no, compiling code yourself is not a substitute).

Linux has about another two years to continue poking fun at Windows security defects, then Dotnet will be in place and the party will be well and truly over.

Re:Executing untrusted code

[handorf]

I agree that secured platofms are important. Personally, though, I disagree that Dot Net is a panacea. It is possible to write insecure apps in any language or platform, and I can assure you that some .NET apps will be given admin privs.

As long as we programmers don't make security a priority, we will continue to have badly written apps.

You know... I usually don't defend Microsoft very much, but I guess all the "ARGH! The sky is falling" stuff got to me.

Re:Executing untrusted code

[fanatic]

then Dotnet will be in place and the party will be well and truly over.

yes and no. MS will (probably) eventually bring down the number of security bugs (though with their insistence on features,features,features and their gratuitous changes to APIs and protocols used to foil competition, it will never be 0 or even real low), but the real problem with Microsoft is not the stuff they do accidentally, it's the stuff they do with full knowledge and intention.

For example, if your files are in some proprietary format and you lose the right to run the software that reads that format, who owns your data? Before you scoff, remember that MS was one of the drafters and promotors of UCITA, which would/will permit software manufacturers to turn off software that they believe is not licensed correctly. (aka "electronic self help" - there are numerous ways to accomplish this even if you're behind a firewall.)

Re:Executing untrusted code

[alext]

That's right - a dumb setuid program can always be created. However, Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer, so I'm afraid the firmament is decending with undiminished velocity.

Re:Executing untrusted code

[alext]

Good point, but it's perhaps a little optimistic to assume that Linux will have this edge.

If MS provide the tools someone else can easily finish the job, e.g. providing a secure email program with workflow scripting, without imposing nasty stuff like proprietary file formats.

Re:Executing untrusted code

[handorf]

I wasn't speaking of your "Sky is falling" remarks but of those of others who feel that this vuln represents something new and terrible on the Windows front.

As for DotNet, as much as I like C# (after working in it for almost a bloody year now) and appreciate the easy things being easy and the hard things being possible, I'll withold judgement on it's securability until it's been around for a few years.

Re:Executing untrusted code

[siskbc]

MS may provide the tools, but they won't aid in the deployment; thus, buggy MSware will remain the standard. There's a reason people use IE and Outlook (yes, most of the world does) - it isn't because they're the best, it's because they come pre-installed. Windows security, unlike linux to an extent, depends completely on what comes pre-installed. And MS only pre-installs their own stuff. And last I checked, OEMs weren't willing to challenge MS on installing things themselves. DotNet's acceptance remains to be seen, anyway. Passport, anyone? Hell, every Microsoft product "coming out in two years" was supposed to solve the problem - 3.11, 95, 98, 982E, Win Me (HA!), Win2K, XP - and it hasn't happened. I will remain skeptical if you don't mind.

Re:Executing untrusted code

[dvdeug]

Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer

Well, Java runs on Linux, and .Net is being implemented on Linux, so we can use the same answers. Also, User Mode Linux lets you run a full environment in a sandbox, with no modification to existing programs. That's better than anything Java or .Net offers.

Re:Executing untrusted code

[NumberSyx]

Linux has about another two years to continue poking fun at Windows security defects, then Dotnet will be in place and the party will be well and truly over.

and

Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer

I would like to point out that Java runs just fine under Linux. The Mono and DotGNU projects are in the works, both of which will be answers to .NET . You are assuming .NET will live up to Microsofts hype and that Linux will not improve over the next 2-5 years. The past has shown, that Linux is constantly improving and that Microsofts products never live up to the hype. Microsoft has spent the last 5 years playing catch up to Linux in security and stability. They are still at least 2-5 years behind in both of these areas and I don't see this changing anytime soon.

Re:Executing untrusted code

[andrewski]

Except for the few points that you have glossed over. First, .NET has been proven to be a great place to propagate virii. Second, .NET won't stop somebody from e-mailing you a Word macro that'll fuck everything right over. Third, combine the first two points with the fact that even XP has local AND remote holes big enough to drive my Grandma's truck through, and you have a bag of hot air.

I'll take compiling my own programs any day over relying on pre-compiled binaries - Why should I trust some off-shore $3 per hour Win32 sweatshop with producing backdoor-free code any more than I would trust ANY unaudited code (because basically it is)? At least when one has the source code an audit is POSSIBLE albeit unlikely.

Re:Executing untrusted code

[alext]

I was hoping someone would step in with these assertions - it's really time such complacency was examined:

1. Java runs on Linux. So it does, and will be well supported not by one product but by three (Sun JVM, IBM JVM, BEA JRockit). What a pity, then, that this commitment by the vendors is not matched by the Linux community at large. No significant GNOME or KDE application is written in Java, and KDE does not even have a LGPL Java binding!

2. Dotnet "being implemented" on Linux. Coincidentally, starting this morning, Dotnet is being implemented by me on my toaster, and I can say with confidence that with regard to the major APIs such as Windows Forms, both efforts have made similar progress, i.e. none. And if Mono / DotGNU does make progress, I'm betting they get sued for patent infringement.

3. User mode Linux 'superior' to Java or Dotnet. This is, frankly, a ridiculous statement. Firstly, Java and Dotnet provide guaranteed integrity of the application, something that's impossible to achieve when you have pointers floating about. Secondly, the rest of the system can be structured into a highly organized form where just the necessary amount of information is shared and rights given. For example, I can apply access controls to individual methods of an application, but a particular application may not itself even be able to read those controls, so it has no idea of who can do what.

The problem is really the same one that has bedevilled Linux already - choice is good when you can make it (KDE or GNOME), not so good when it is made for you via a chain of dependencies (Kmail requiring KDE requiring Qt). Coordination and control applied only to the kernel is no longer sufficient to warrant Linux being called a platform - unless enough momentum is built up behind some combination such as Kernel + IBM VM + SWT + Qt + KDE the platform will become so diverse and complicated that vendors will be unable to port their applications to it.

Re:Executing untrusted code

[dvdeug]

User mode Linux 'superior' to Java or Dotnet.
This is, frankly, a ridiculous statement.

If you're asking for a platform to be secured, I can secure any program that runs on Linux using UML. UML allows you to use existing libraries and code, without breaking the sandbox). That's a huge advantage.

Firstly, Java and Dotnet provide guaranteed integrity of the application, something that's impossible to achieve when you have pointers floating about.

Nonsense. Having pointers does not prevent you from guaranting integrity of the application, nor does not having pointers mean that you can't get invalid data or malformed data structures. The only way to guarantee integrity is a formal proof of the program. In any case, Perl, Python, Scheme, Eiffel, Common Lisp and any number of other Unix programming languages make the same offer.

Secondly, the rest of the system can be structured into a highly organized form where just the necessary amount of information is shared and rights given.

Which can be done without Dotnet or Java. And frankly, I don't believe it will be done by any but the most anal programmers, and they could have done it in raw assembly on the bare hardware.

Re:Executing untrusted code

[alext]

I think you're failing to distinguish between fundamental architecture principles and gossip.

Dotnet does protect against viruses - it allows precisely the appropriate level of privileges to be accorded to something like an email attachment. There may continue to be exploits, but unlike existing systems suffering from buffer overflows etc. the exploits can be fixed in the platform rather than the applications. A secure platform is a whole new ballgame over POSIX and Win32.

XP's own exploits are no more relevant to Dotnet than they are to Java - Dotnet has its own security model, and it is perfectly possible to put a secure environment on top of an insecure one, providing that the secure interface is the only public one.

You still seem to be confused about what a secure platform does. Essentially, Microsoft can ship you any 'binary' and you have the power to limit what it does (TCPA lock-downs excluded, of course - use Java as an example if you prefer). Therefore the issue of backdoors in an app need never arise - just deny it permission to open a socket.

On a positive note, I agree that having the source is the ultimate guarantee, though ideally you want both the source and a secured platform. The amazing thing is that Java has achieved this and put it on a plate for everyone - it's almost impossible to ship a Java application without allowing the source to be recreated - but still people persist in generating user applications with antedeluvian C tools. Java technologies and Open Source goals complement each other in fundamental ways, but the importance and potential of this has never been recognised.

Re:Executing untrusted code

[alext]

If you're asking for a platform to be secured...

No, I'm asking for the whole system to be secured. That's where your approach comes unstuck.

Having pointers does not prevent you from guaranting integrity of the application...

You're using integrity in a much broader sense that most people do, particularly with regard to common security exploits. The advance that Java represented over traditional code models has been documented at length by academics - no other language in common use comes close, certainly not Perl, Scheme or Common Lisp.

The bottom line is that Java and Dotnet offer a a value proposition that no security-minded developer or user can afford to ignore, and for practical purposes no amount hand-waving about formal proof systems is likely to deliver anything remotely comparable.

Re:Executing untrusted code

Amazing troll, real genius!

Re:Executing untrusted code

[jedidiah]

"fundemental architecture principles" are something that Microsoft has never cared about. They even had the architect of VMS on their side and they still failed to deliver a robust product. All of Microsoft's propaganda won't erase the last 20 years of their management practices.

There is far more than mere "gossip" supporting those of us that are skeptical of anything that Microsoft creates.

It would be more efficient to simply resurrect VMS.

Re:Executing untrusted code

[t0ny]

Ya, and Netware used broadcast the license numbers across the network and disable the servers if there were matching license numbers. Are you claiming this is something new, or something created by MS?

Re:Executing untrusted code

"one to which Linux has no answer"

???

Apparently you've never heard of MONO, the Linux clone of .NET, but without the spyware and bloodsucking license. However, its a moot point because except for MS PR & Hype types, .NET isn't going anywhere. Why would anyone with an ounce of gray matter hand control of their computer systems over to MS or anyone else?

The only thing trustworthy about MS is their petchant for extracting money from their user base and for stealing other folks ideas. What is truely amazing is that WinXX users think that their buggy, insecure OS is normal for computers!

Re:Executing untrusted code

[alext]

MONO, the Linux clone of .NET, but without the spyware and bloodsucking license

...and without the libraries, and the support from application developers. (But with the potential for having its butt sued by Microsoft).

Sounds great!

Remind me again, this delivers precisely what benefits over using the well-established Java VMs on Linux?

1) Deliver high media profile for Miguel de Icaza

2) ?

Re:Executing untrusted code

[Jerry]

No significant GNOME or KDE application is written in Java

I've been using MoneyDance for over two years. It's written in Java (swing) and is a very nice app.

And if Mono / DotGNU does make progress, I'm betting they get sued for patent infringement.

I wouldn't doubt that. In fact, De Icaza is wasting a lot of time and effort on MONO for that very reason. That's why I think MONO is a 'honeypot' designed to trap Linux coder bees, removing them from serious projects.

User mode Linux 'superior' to Java or Dotnet. This is, frankly, a ridiculous statement. Firstly, Java and Dotnet provide guaranteed integrity of the application

Opps! It doesn't matter how much 'integrity' an application has if it is supported by an OS that is full of holes! And, on a per capita basis, the Linux 'user' mode has proven considerably more secure than the WinXX 'everyone run's as root' mode.

The problem is really the same one that has bedevilled Linux already - choice is good when you can make it (KDE or GNOME), not so good when it is made for you via a chain of dependencies..

This is really the most lame, bogus arugment I've heard against Linux since I began using it 5 years ago. BTW, KMail is my favorite email client. That is runs in KDE, which uses QT, is an asset, not the liability you make it out to be. By your standards, any program which runs on an OS and uses a function library is 'choice limiting' and therefore suspect. Lame indeed. You just shot down your favorite OS. Billy is going to slap your hands hard! I can sympathize with your confusion about 'choice', since Billy has taken that away from you a long time ago.

Re:Executing untrusted code

[Enigma2175]

You forgot

3) Profit

It had to be said...

Re:Executing untrusted code

[dvdeug]

You're using integrity in a much broader sense that most people do, particularly with regard to common security exploits.

Shell scripts have no pointers. Shell scripts are bitch to make secure, because every line you have to make sure that there's no stray ` or $ in your input data that you aren't properly escaping. Any language that only has or encourages the use of fixed length strings has a potential integrity problem there.

The advance that Java represented over traditional code models has been documented at length by academics

What advance? Sandboxing is certainly nothing new, nor is pointerless languages, and many Lisps follow both rules.

Re:Executing untrusted code

[Tony-A]

Linux has about another two years to continue poking fun at Windows security defects, then Dotnet will be in place and the party will be well and truly over.
Yes, but which party?
These is something of a progression of Melissa to Code Red and Nimda to Klez. The worms and viruses are getting smarter and Microsoft still doesn't have a clue as to security.

Re:Executing untrusted code

rubbish. NT (and therefore Win2k and XP) are stable and reliable. Forget the gossip about 'windows crashes 100 times a day' - that all applied to 16bit DOS based windows (ie Win3.1, 95, 98, ME). Give credit where its due - Cutler did a good job, doubly so when you consider what he had to work with.

Re:Executing untrusted code

be aware that Linux systems are being hacked almost as much as windows ones - big news considering the number of each in the wild.

(full details are on news.cnet.com from a fortnight ago).

be complacent, spout off how windows is rubbish and linux sooo great.... and see where you are in 2 tears time.

Re:Executing untrusted code

[Tony-A]

Microsoft has spent the last 5 years playing catch up to Linux in security and stability. They are still at least 2-5 years behind in both of these areas and I don't see this changing anytime soon.
And Linux is maybe 2-5 years behind the *BSDs.
OpenBSD: "One remote hole in the default install, in nearly 6 years!" (And that fish looks mad;) Methinks that is actually a stronger statement than when they were running "No remote holes ...".

You are assuming .NET will live up to Microsofts hype
No matter how good a job Microsoft does, it's a monoculture and there's always a crack somewhere. Linux does not have that problem because there's a bunch of subtly different ones out there and there's always a few wiseacres who insist on doing things their way. Security through obscurity can work, but it does presuppose obscurity. A monoculture is *not* obscure.

Re:Executing untrusted code

[Tony-A]

Therefore the issue of backdoors in an app need never arise - just deny it permission to open a socket.
Right. Close one hole and ignore any communications with apps that DO have permission to open a socket.
Security is a perimeter-type thingee. There is no "just" about it.

Re:Executing untrusted code

[jpmorgan]

The only way to guarantee integrity is a formal proof of the program.

It's funny you mention that.... that's exactly what the .NET runtime does - it effectively proves the program doesn't violate any security or integrity restrictions before it allows it to run. To be able to do this programmatically requires heavily restricting the use of pointers.

And yes, you can write a program that uses pointers in .NET - but such code is marked as 'unsafe' and requires special privileges to run.

Re:Executing untrusted code

[NumberSyx]

And Linux is maybe 2-5 years behind the *BSDs...".

I am 100% in agreement with everything you said. Linux security does leave something to be desired when compared to *BSD and I encourage anyone who has serious concerns about security, should use *BSD. Microsofts biggest security problem is the monoculture they are trying to force on everyone, if they would back away from thier monopoly and allow a diverse computer environment to develope, things like VB Script virus's would be a minor annoyance instead of headline news.

Re:SD3, eh? Sounds suspicious.

If it were funny, you wouldn't have to tell us.

Wow...

[dacarr]

I knew it was bad, but holy schnidt.... good thing I'm running Linux and OS/2. =^_^=

Hmm... again...

[jsonmez]

Click to randomly close a window on another user's desktop somewhere in the world.
Sweet!

DMCA violation?

[esoteric0]

correct me if i'm wrong, but couldn't this guy be thrown in jail for documenting and sharing all this stuff?

Re:DMCA violation?

[Uttles]

I was just about to ask that. Won't this be a direct violation of the DMCA?

Re:DMCA violation?

[mgessner]

Well, if he's in the UK, I suppose they could nail him if he ever enters the U.S., like the did with Syklarov.

Re:DMCA violation?

[Whispers_in_the_dark]

IANAL but I'm pretty sure Windoze being insecure is *not* a trade secret. (Plus based on the number of "it's old news" messages it's not been a secret of any type for a *long* time).

: )

Re:DMCA violation?

IANAL, but he is using a debugger on a commercial app. Based on the wording of the DMCA I've seen, it's entirely possible this could be construed as a DMCA violation. The other stuff he uses are documented API calls...

yippee...

I've been using this "exploit" to develop add-ons for automation software. In order to take control of another software package, windows messaging is by far the most efficient system for getting a non-automated package to do something unattended. For every minus, there are pluses too...

Itchy Tongue

[sdjunky]

An oldy but a goody. This one's even better

Declare Function mciSendString Lib "winmm.dll" Alias _
"mciSendStringA" (ByVal lpstrCommand As String, ByVal _
lpstrReturnString As String, ByVal uReturnLength As Long, _
ByVal hwndCallback As Long) As LongProcedure

'Open the CD
retvalue = mcisendstring("set CDAudio door open", _
returnstring, 127, 0)

'Ask
msgbox "Scratch my Tongue Please, it Itches!!"

'Close the CD
retvalue = mcisendstring("set CDAudio door closed", _
returnstring, 127, 0)

Is it really worth our attention?

[const_k]

Well, not sure, is this "new" exploit technique worth our attention, if in those operating systems the system directory is writeable by anyone by default?

Re:Is it really worth our attention?

It's not. By default, the system directory is writable only by admins.

Where in the heck has everyone been????

How do you think PCAnywhere works?? Citrix?? Terminal Server (well... ok TS is Citrix).

It's been there since day one, and there is software to "exploit it". All you have to do isinstall PCAnywhere... or write an agent that is just like PCAnywhere, and then when a "highly priveledged user" gets on the machine, you just watch what they do. Anyone I know that's been doing Windows driver or kernel work has known about this all along... it's nothing new to anyone. Anyone want an "exploit" that traps the calls to the Windows API and records the programs being run??? You don't even have to watch the message queue go by to decipher the screen contents.

I have to wonder how /.'ers would react if Microsoft came out with a "fix" and then suddenly Citrix and PCAnywhere didn't work?? On Slashdot I suppose it would be "That's just like The Borg ^h^h^h^h^hMicrosoft... they couldn't compete with Symantec so they made a change to put them out of business".

Terminal services + domain admin user

[Malc]

If I understand this right, this escalates priviledges to those of the window being attacked. Does this mean on a box running terminal services, I could get domain admin priviledges if that user is also logged on?

Re:Terminal services + domain admin user

No. They don't exist to you, isolated off in their own Window station with their own desktop on their own messaging system.

While this is still an issue, it's only really an issue because of shoddy services. While Microsoft does indeed need to figure out how to add some security to the Windows messaging server (which I insist can be done without breaking everything,) steps can be taken to minimize the issue, including avoiding services that operate with windows in the interactive desktop.

Scenario for abuse

[brandonY]

So, let's say that I'm Joe User. I turn on XP Remote Connection because I'm going out of town. I also click the "Enable Guest Login" box.

So Leet HaXoR notices my Remote Connection port is open, runs Microsoft's helpful Remote Connection Agent, logs in as Guest, and then inside of 30 seconds is Administrator?

Wow. Welcome to the age of cracking systems without using a keyboard. Or time to spare.

Re:Scenario for abuse

You don't know what you're talking about. Joe user would have to add the Guest account to the "Remote Desktop Users" group. That's about as likely as Slashdot posting a single, solitary good article about Microsoft.

Just so you know... AFAIK

[gabec]

As Far As I Know

Re:Just so you know... AFAIK

[dimator]

And THANK YOU very much for linking to e2. I'll be clicking around there for a good 2 hours now, thanks for killing my productivity.

The problem is developers not used to multi-user

[PenguiN42]

For example, the virus scan writer probably tests, develops and uses windows while logged into the "administrator" account interactively, as do most users. In Win98, it's not even a question -- you're always the "root" of the box. I'd wager that "What access could a non-administrator user obtain through our GUI/message interface?" hardly occurred to the GUI programmers for this particular virus scan software, even though their interface ran at LocalSystem (geeez).

As mentioned elsewhere, there are ways to avoid these problems: If you really need to use gui elements as administrator, run them under a separate desktop or windowstation where the interactive user can't touch it. Run the GUI interface impersonated down to a lower level, such as that of the interactive user. If you have to be administrator or local system, treat all input as untrusted, including (especially) window messages! Don't use edit box constraints as buffer limits. Don't use the default window procedure. etc etc etc.

It's true, however, that the default behavior for WM_TIMER is a pretty big security flaw (IMHO). But contrary to what this writer inaccurately claimed, you can still intercept the WM_TIMER message and handle it yourself, and any security-conscious program should never pass unexamined WM_TIMER functions to the default window procedure. This makes me start to wonder about other flaws in the default window procedures... as Microsoft wants you to think that the defaults it gives you are safe and secure. hmmmm...

How about setting some rules..

[subspacemsg]

If MS can implement a way to forcefully remove instances of windows associated with programs running as localsystem, the problem maybe solved.

I don't think a guest user is intended to modify a localsystem process anyways, then why give the guest user a GUI to do so?

Remember Folks: It may be unfixable...

[namespan]

... but it will also be illegal! So you don't have anything to worry about.

Unless you're one of those crooks who would publish the vulnerabilities to anyone but the company itself or the government, of course....

It's called Dotnet

[alext]

...or did you realize that? Sorry if I missed some irony in there.

Re:It's called Dotnet

[Rick+the+Red]

You're right! I missed that, probably because I don't consider .Net an operating system. But you could look at it that way, sure.

Virus in his code

[agrounds]

In the shatter exploit he's linking on his website, there is a virus in the sploit.bin file. It's a W32.Beavuh, and Norton Corporate flagged it immediately. So, surfer beware! It's hard to take security fame-seekers seriously when their code is trojaned.

Re:Virus in his code

[zoombat]

NAVCE picked it up on my computer too. From Virus List, the exploit gives remote access via a command shell.

Sounds to me like the whole thing might be a really bogus attempt just to root people's boxen. I guess that's what happens when we rely on "news sources" for security information.

Course it could be a false-positive, too.

Re:Virus in his code

[silentbozo]

In his notes he mentions "Yes, I know that I should have written my own shellcode."

I'd take that to mean he's "borrowed" a portion of the W32.Beavuh exploit to show that remote shell priveliges can be granted using his window messaging exploit. Of course, since this looks like it's live, I wouldn't recommend running it on a production machine hooked up to anything...

Re:Virus in his code

[kawika]

Duh! The exploit is *intended* to be malicious code that causes a buffer overrun in an application and could be used to break into a system. That's the point!

Hint to moderators: Try "Funny" next time.

Re:Virus in his code

his code doesn't rely on a buffer overrun.

Re:Virus in his code

[ChrisPaget]

Yes, an antivirus program will pick up the fact that sploit.bin contains the W32/Beavuh "virus". It's not viral - if you look at the Jill source code (where that shellcode comes from) you'll see that the shellcode is injected through the use of an HTTP header called "Beavuh". The initial shellcode parses through memory for this tag, then jumps to it. If you don't believe me, disassemble the shellcode. Failing that, get hold of a copy of Jill and verify that it contains the same "virus". In fact, I'm willing to bet that the same virus scanner will detect hk.exe as a virus, and probably a few others as well. Hell, probably even Netcat will be picked up...

Re:Virus in his code

[kawika]

Huh? He even sends a message to the app that increases the buffer limit to ensure he can overrun the buffer.

Re:Virus in his code

Are you in Cambridge digs?, judging by the shopping in your picture, and the regulatory blue circle on your door, and general state of your kitchen, I should be able to track you down and have you arrested in about 48 hrs.

See you soon sunny!

Re:Virus in his code

[Clowning]

"I wouldn't recommend running it on a production machine hooked up to anything..."

Do you mean Windows or the exploit?

Re:Virus in his code

[Edgewize]

No, he sends a message to the app to ensure that the edit control does not automatically truncate his exploit code when it is pasted in.

This "exploit" has nothing to do whatsoever with buffer controls or buffer overruns. He simply causes a Windows edit box to store a specific data string, and then issues a WM_TIMER call to cause Windows to jump to the address of that data string, which happens to be executable code that spawns a network-bound command prompt.

Re:Virus in his code

[Exatron]

Do you mean Windows or the exploit?

Yes, exactly.

Re:Virus in his code

[davebooth]

Geez, guys.. He pulls shellcode out of an in-the-wild exploit and clearly says so and you act all surprised that the shellcode is picked up by AV software? Whats more he clearly states in his paper that he went looking for shellcode to spawn a command shell on a given port. Was it a bogus attempt to root the boxes he'd not have warned you first exactly what it was would he...

Re:Virus in his code

[zoombat]

yeah, yeah.. I know.. 60 seconds after I hit "submit" it occured to me the conspiracy theorist in me got the better of me, and of course a bunch of scripts and stuff designed to root a box would probably set off some virus checker. Fortunately there are plenty of wiser folks here at /. that pointed out the nonsense.

Sometimes I'm very glad that there are smarter people than me out there! ;-)

Sigh.

[Scotch+Game]

One of the arguments for open source is that the hivemind's access and ongoing audit of the source code leads to more secure applications, as well as benefiting from a community that is proactive and agile in addressing new security issues.

But Windows, historically one of the most closed-source and yet widely used pieces of software on the planet, seems to get the benefit of security audits from the hivemind all the time.

I'd love to write more code on Linux. But I can't, I have to make a buck and my clients use Windows, and that's that. Also, none of my clients read Slashdot. They read EOnline. They use Windows because it's easy and familiar for them. So I get frustrated sometimes, but there's not a lot I can do to proselytize Unix or Linux to these people. They read EOnline.

So maybe we could highlight less front page articles on the latest security flaw in an OS that is widely known as security flawed, and we could do more work to put up stories about ease-of-use work on Linux. Otherwise it seems like we've got a sharp sword to use against a dragon that doesn't seem to be wounded by swords.

Re:Sigh.

[DevNull+Ogre]

You program for Windows. You read Slashdot. This is an article on the front page of Slashdot about a flaw in the Windows Application Programming Interface. I think this article was appropriate.

There's more to Slashdot than bringing down the Beast in Redmond.

Windows Exploit - most dangerous!

[teamhasnoi]

Look for a period by itself on the bottom left of the screen. It looks like an off-pixel. Hold down "Shift", then click on it.

Bam! Root access.

This works on the systems of the DMV, FBI, DOD, Equifax, Telephone and Utillity companies.

I couldn't believe it myself! I said, "This is so easy, even Sandra Bullock could hack this!"

Have local access? Try Locksmith.

[Futurepower(R)]

The method in the article seems like a lot of trouble.

This software provides you a new administrator password: Locksmith.

Umm...

[RadioheadKid]

Essentially, they allow you to take control of any window on your desktop

Isn't that what your mouse and keyboard are for?

Great article, but...

It's "addendum", NOT "addemdum". Sheesh.

i kNEW iT

Windows Is a VIRUS!!!! ;)

Oh really?

[Osiris+Ani]

When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

Under Windows (at least Win2K), look at your Services control and find out how many of them are set to run as LocalSystem. Most to all of them? Ah, yes. Now look at how many of those are built-in Microsoft Windows components. Most to all of them? Ah, yes.

I suppose, by this token, that it's not the fault of the Win32 API, but instead each and every Windows service that Microsoft shipped and each and every third-party service delivered post-install.

Bad programming, indeed.

--
Please do not feed or tease the trolls.

Re:Oh really?

But how many of those can interact with the desktop? Not many.

Re:Oh really?

[dzym]

I'll step out on a limb here and say that not a single one of them is set to interact with the desktop.

Re:Oh really?

[handorf]

Not to imply that those services are secure (IIS comes to mind) but I cannot think of a SINGLE one which interacts with the desktop directly. They all have management programs which go through the registry or other communication methods (Com interfaces, etc) to interact.

They wouldn't be vulnerable to this exploit.

Re:Oh really?

you're an idiot
he's talking about the localsystem processes blindly executing input they get or interacting with the user's desktop. not just having localsystem processes to begin with

grow a brain before posting again. fool.

Re:Oh really?

[Doomdark]

No, no, no. Read the article, mr. Idiot. If it was about blind execution by app, Microsoft wouldn't be to blame.

The problem is blind execution by messaging system, without apps having a say on that. Send one of useful message to app's message queue, and see it executing useful code you provide.

Re:Oh really?

[Ardax]

Come off of the limb, I'd hate to see it snap out from under you. There's several MS services that run as System and are flagged Interactive in Win XP.

Like the Print Spooler, for example. As well as Protected Storage, Task Scheduler, and a few others, including Network Connections.

That's right, if your machine is connected to any kind of network at all, you're vulnerable.

Re:Oh really?

[lonedfx]

I agree, this is definitly exploiting the antivirus software, not Win32. The bad press should go to the company who made that AV, as the weekness was introduced by the administrator who trusted it and installed it on his workstations.

Bad programming practices happen all the time, but when you start fiddling with System priviledges, you should not rely on quick'n'dirty-type developpers, or it will lead to this.

It has indeed been known for years, and many legitimate softwares have taken advantage of this already, Windowblinds, E-Sense (win32 E), and many many others. It's a very well known entry point to inject code in an process.

If your system-level developpers don't understand that, should they be working for you ? There are many capable people out there...

lone.

Re:Oh really?

Now use Spy++ to look at every window opened by those services and see who owns it. MSFT might have the process switch to some other user before creating the windows...

Re:Oh really?

[t0ny]

Ya, just another fine example of the /. morons blindly bashing MS, just because they can. Interestingly, I submitted tons of articles of things that MS has done well, and not a single one of them has shown up. Strange... you dont think /. has an agenda, do you?

Re:Oh really?

[t0ny]

I think you need to go buy a clue. All the examples cited are about hijacking a window, and using that window's account privileges. Thus, if that window runs in a higher context than the user is allowed to (like a service that interacts with the desktop), the user can run code, via that window, in a higher context. As stated, MS recommends you dont have services interact with the desktop. If a programmer has his head too far up his ass to hear what MS is recommending, that isnt Bill's problem. And it definitely isnt "Windows Shattering".

Re:Oh really?

Strange... you dont think /. has an agenda, do you?

Not as obvious as yours.

Say, is it raining in Redmond?

Re:Oh really?

[cookd]

Not blind. You can toss any message between GetMessage and DispatchMessage if you want to, including all of the messages in the mentioned article -- consider it a logical location for a firewall if you are concerned about things like this. Windows doesn't simply respond to the message for you. It is the default handler that causes problems.

Re:Oh really?

[rTough]

I'm not so sure about my comment here, but i actually believe that most do.

The easiest way of for example implementing networking functionality in Windows using winsock is to bring up a hidden window that you use as a message hub for the networking messages.

You could try to show all windows. When i tried i the last time (A bug in one of my own programs) I got at least 30 windows. I'm not so sure how many of them belonged to a service running as localsystem, that was not in the scope of the bug, but i seems possible that there should be atleast one...

The "security issue" however is not news. A for some reason it feels as though it should be a problem. But who knows....

Re:Oh really?

[Doomdark]

Yes, and you are just reiterating what I wrote. Even though window has higher execution rights doesn't mean it has to let anyone use it as straight launcher tool for executables. That is the problem.

There are n+1 things that are not potentially good things to do, but that shouldn't be as fatal as this one may be. Is it really unreasonable to expect that there are no glaring security holes in your platform's GUI components.

Read the article and check comparison to X-Windows to see a sane approach to handling message queue.

Re:Oh really?

[Doomdark]

Hmmh. It seemed to me, reading the article, that some messages can not be handled by app even if it wanted to (the timer message mentioned). If you are right in that app can potentially get all messages and do proper handling, then article was indeed misleading.

Apps mishandling messages it gets (like just blindly executing them) is stupid, and none of MS fault. Article didn't make it look like that is the case though.

Re:Oh really?

[cookd]

Quote from MSDN:

You can process the message by providing a WM_TIMER case in the window procedure. Otherwise, the default window procedure will call the TimerProc callback function specified in the call to the SetTimer function used to install the timer.

The "default window procedure" happens after you've had 3 (or more) chances to process the message.

Re:Oh really?

[Doomdark]

Fair enough... the original article apparently got that wrong, then (and I trusted writer to have checked that). I guess that's good news, but I wish authors did check basic facts, as this was pretty fundamental chain in his reasoning.

Combine with tactile feedback!

Since we just learned that the desktop is moving to tactile, physical interfaces,, does that mean the Win64 version of this exploit will involve hijacking, say, breasts instead of windows? "Just grab the PornoScan breasts to get the 3D handle..."

Fucking stupid

[RadioheadKid]

1 this is old
2 this is old
3 this is definite windows bashing
4 if you really understand what is going on here, its not a big deal.
5 this is old

Re:Fucking stupid

[DunbarTheInept]

So you think it's unfair to blame Windows when the exploit is in the default behaviour it gives you when you do nothing about one of the GUI messages?

Re:Fucking stupid

[RadioheadKid]

Yes, quoting one of the more sensible /. readers:

This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

You're not supposed to do that.

If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

Re:Fucking stupid

[DunbarTheInept]

I know that that is the recommendation from MS. The difference of opinion is that you think telling programmers to not use it absolves MS of responsibility for their insecure GUI. I do not. If an application fails to jump through the reccomended hoops to avoid the flaw in MS's default behaviour, that doesn't magically shift the blame to the app. Note the word "default". It's very important here. The bug is what surfaces if you *don't* do anything special in your application program. If I burned a CPU chip that had a flaw that started the chip on fire whenever you execute an illegal instruction, it would still be my fault, even if I say "please don't have illegal instructions" in the programmer's manual for it.

This isn't really news.....aka Winbatch

[haplo21112]

There is a well know programming language for doing this....

Its called Winbatch, and its a commercial product....

It's already fixed.

[Florian+Weimer]

It's called "window stations" and "desktops". There are separate hooks, message queues and so on. In short: everything that is necessary. Maybe there are implementation flaws, maybe the interfaces are extremely difficult to program (I don't know, I haven't tried), but the design is sound.

15 minutes of MSDN browsing were required to discover this (and I spent 10 minutes on finding the entry point to the API documentation using Mozilla). Why can't people read the documentation?

mod up

good points all around, nice post.

-Jon

slashdot = windows bahers... duhh..

since when has slashdot been fair to windows?
They want to be 'cool'

New Name & Clarity

[limekiller4]

The paper is very, very clear and I am very, very glad that I don't run Windows. =)

While "Shatter" is a great name, it would have been a great inside joke if he called it "Defenestrate". =)

You can do this in Linux/Unix/X11

Any X11 window on the desktop can take over any other X11 window. This is well documented and is not a hack/crack. it was done by design.

I have written a couple of X11 applications that have done this. It is, actually, a nice feature. I was able to change to look of third party application to look like the applications that we packaged with our product (my old job). The user never knew that it was not our application. Took out their toolbar, replaced it with ours, never even needed the source.

The security exposures in the Windows GUI are nothing compared to X11. I wonder how Mac OS-X is? I am sure it is the same.

Re:You can do this in Linux/Unix/X11

[lprimak]

Well, not exactly: X11, by default, does not allow other users to connect to a X server running by other users. You have to do either "xhost +" or "xauth add ..." to allow other users, so X11 is not a problem. MacOS X does not allow other users to connect to the Display server at all. It's done via Mach messages, which are read/write for the specific user running the UI server only.

Won't work because of multi threaded/process apps

[Vicegrip]

Many applications actually use Windows messages to synchronize themselves between threads and processes.

In fact, there is also an API called PostThreadMessage that will post any windows message to any win32 application (all you need is the thread handle) with a message pump.

Out of process COM interfaces using windows messages will also be broken by removing this functionality.

Microsoft's excuse that having physical access to a machine is required is abysmal.

not just physical access

[MORTAR_COMBAT!]

it works across terminal server, also, which means you bring in a terminal client and plug in, get access to a user account (think there aren't any giant post-it notes of "my login/password" on half the desks in any given office?), and viola. they have rooted the terminal server and can do whatever the hell they want.

the terminal server may be behind 8 inches of steel and plexi-glass. but this compromise shatters that, too.

It's not unfixable

[geekee]

The problem isn't unfixable. It's just more work than MS and other sw authors are willing to commit to. Sounds like the Interface between the window manager and the kernal needs to be reworked, either by all programs with root privileges, or implemented generically in the OS. Anyway, I'm glad someone exposed the weakness so it can be analysed, and appropriate steps taken to fix it.

First Exploit?

[blrichwine]

Ever read Hardcore Visual Basic programming? Using the API to enumerate other windows and send signals to them is what it is all about. I've often used Visual Basic to automate other programs by detecting windows, dialog boxes, etc. and sending key strokes to them. This is basically how all those really cool screen readers for the blind used to work before MS opened up and API for them.

Windows isn't really a multi-user system anyway (at least not simultaneously). If you are running multiple programs at the same time and they have access to the windows API, COM, OLE, etc. then you just have to assume that they can control each other...

Shattering Windows?

[c4tp]

What else shatters windows? That's right, opera!

Okay, bad, bad, BAD pun. I just couldn't resist.

sprintf

[Ender+Ryan]

sprintf is severely flawed because you cannot tell it how much space is allocated for the string you are writing into. So when you call sprintf, you have to be sure that the sting you are writing into is long enouch, which in many cases is not possible.

Why this is only a Unix problem I don't understand, as sprintf is defined in ANSI C, so I would think it'd be a problem on any system with a C compiler.

Hopefully someone more knowledgeable will explain.

Re:sprintf

[handorf]

It isn't a Unix only problem. You can do the exact same thing with sprintf on any platform where you can find a version of it (e.g. almost any)

As the original poster said, snprintf is good, sprintf bad.

Re:sprintf

[Ender+Ryan]

Thanks, that what I thought. I don't know what the original poster meant...

Re:sprintf

[Cro+Magnon]

Doesn't gets() have the same problem?

unfixable?

[fsck!]

I'm sorry, but telling an engineer that something is unfixable is probably the single best way to get them to fix it.

The nut of the problem

[timeOday]

Only for those who didn't take time to read the whole article, here is the gist:

The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly...

Re:The nut of the problem

The funny thing is he didn't even check. If he did, he'd have to take that statement back. Of course the WM_TIMER makes it to the WndProc, and there you can catch it and eat it. However, if the application sends it along to the default WndProc, it will get executed. Might be a good thing to catch and kill all WM_TIMERs that you know aren't yours by checking those function pointers and timer IDs.

Re:The nut of the problem

[s3ndk3yz]

The memory address would have to be in the process address space of the executable that was recieving the evil timer message. This is a pretty convoluted and not effective way of controling other processes. The king of process control is DLL injection, API hooking, and ReadProcessMemory/WriteProcessMemory. All of which are fully explained (including sample code) in Programming Applications for Windows by Jeffery Richter.

Trustworthy Computing

[TheCabal]

Again, the Old Guard of the Anti-Microsoft "Can't do right anytime" Regime (read: Timothy), attacks with a flawed premise: attack Trustworthy Computing.

Newsflash, Tim: First the shatter exploit requires some unusual circumstances, and relies on shoddy programming. Second, the Trustworthy Computing concept is nary a few months old at Microsoft. Somehow they're supposed to magic all kinds of bugfixes to your old Win9x box? Give me a break. You'll see these advancements in security in .Net and Palladium.

Windows DoS

Of course, you could just come up with the ASCII-keypad sequence to do a \n\b\t or something like that...backspace followed by tab results in a BSOD in versions of NT/2k, and is short enough to hack in by any user.

How about Internet applications written with dot n

[dg123]

Is there a way, with dot net, to write an Internet application that enumerates Windows that are local to the machine, searches an Edit Box in one of them, pastes malicious code to it, and sends a WM_TIMER message so that it executes the malicious code locally with the privileges of the user ?

Microsoft did have a point...

[Shalda]

The point Microsoft made in their response was that this can be fixed on an application by application basis. I personally would be interested in seeing this attack carried out against a program that is part of the standard Microsoft desktop.

Curiously, when I downloaded "Shatter" from the article, Norton AV flagged the file with the exploit code, sploit.bin, as the "W32.Beavuh" virus. However, Symantec provides no further detail of this. I suspect this is merely NAV doing its part to beef up security, forcing would be crackers to actually come up with their exploit code.

the problem...

[Pfhreakaz0id]

as others pointed out below, you should separate the parts of your service (or whatever) that need to run with system privs and have them talk to a separate GUI app (which isn't running with system privs).

The real problem is third-party apps. It doesn't surprise me that there are a TON which don't do this. There are a ton of things which just don't function when run under anything other than an account in the local admin group). I think this is a holdover from the 9x days. Hopefully, these problems are getting fewer, but I had a scanner which simply wouldn't work with a non-admin account. Tech support thought I was nuts "I don't want to do that! why not?".

the "culture" on NT/2k/xp is you are running under admin. The "culture" of unix is: Don't run as root! I would prefer to not have my usual account in the admin group and instead use a "run as" shortcut when I need it (or log in under the account). Everytime I've done this, I've gotten tired of handling all the little crap permissions and just switched my account back.).

What a load of tripe.

[Uller-RM]

I'm really, really disgusted that this even got posted. This isn't a Win32 vulnerability, it's a Virusscan vuln. (Watch my karma burn, I'm actually defending MSFT... but hear me out.)

For those of you who aren't familiar with Windows programming, here's what he's doing. Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input. So, he adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.) He then inserts shellcode in it, attaches a debugger to the process and searches all of memory for the start of the shellcode. Real efficient, this one.

He then sends it a WM_TIMER message to trigger it. WM_TIMER is usually sent to your window on a regular interval when you've called SetTimer(), and contains either an integral ID or a pointer to a callback in memory. So, he sends it a fake WM_TIMER, and Viruscan executes the callback blindly.

You know what, I use WM_TIMER too in my apps - but, there's two simple ways to defend against it.

if ((void *) msg.lparam != known_cb_address)
{
return false;
}

if (0 != IsBadCodePtr((FARPROC) msg.lparam))
{
go_fuck_yourself();
}

And if I'm not using it, special-case it so that it doesn't fall through to DefWindowProc().

Seriously, all this guy is doing is buffer overflowing a poorly written program to get Administrator privs. That's like claiming that glibc is insecure and should be thrown out because it has sprintf() or gets(). Ya know, I can buffer overflow a poorly written suid app too, but that doesn't make the libc to blame, nor have we published articles lambasting the GNU Project for not putting bounds checking into those functions.

This guy's just trying to sell himself, and you guys were more than helpful. Maybe I should write a system service that subclasses MSIE's WndProc with a single function that calls ExitProcess(1), and see if Slashdot will find me a security job.

Re:What a load of tripe.

[Glorat]

Sorry, I disagree with many of your comments here. While you've successfully tried to be objective without flamebait, some of the facts you have aren't true. I will try to be equally objective

This isn't a Win32 vulnerability, it's a Virusscan vuln
It is a Win32 vulnerability in that it is even possible to have this kind of elevation of priveleges by "poorly written" services. Basically, any system service that interacts with the desktop is vulnerable (virus scanners). McAfee interacts with the desktop. This is bad too.

Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input
It does, it has a set a maxlength of 4. Unfortunately, the vulnerability allows this to be bypassed. I'm sure the GUI will complain when you press the OK button but since we never get that far, the app never gets a chance to check the length change.

He then sends it a WM_TIMER message to trigger it... but, there's two simple ways to defend against it
That's good practice but the real problem is where you comment yourself... And if I'm not using it, special-case it so that it doesn't fall through to DefWindowProc(). It's too much to ask any app that doesn't use WM_TIMER to put in this handler in all their apps. Further, I bet WM_TIMER isn't the only message he could use to trigger code.

Seriously, all this guy is doing is buffer overflowing a poorly written program to get Administrator privs
Not any poorly written program but all desktop interactive services in existance.

Ya know, I can buffer overflow a poorly written suid app too
Fortunately, the community tends to be able to fix these things by patching the source. There is no fix for this problem

This guy's just trying to sell himself
OK, I will agree with you here... a little

Maybe I should write a system service that subclasses MSIE's WndProc
No no no... you've cheated. As a system service, you already have priveleges. The exercise of this paper was to do with with Guest priveleges

Regards,

Re:What a load of tripe.

[Peachy]

Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input.
After reading the paper I got the impression that there's a whole load of apps which are prone to this type of attack. Perhaps someone can clarify this?

Re:What a load of tripe.

[Uller-RM]

Every window's internal structure includes a pointer to a function called a WndProc. The function reacts to messages, and effectively defines how and what that window does.

The problem is that the vast majority of apps out there look like this, mainly since Microsoft uses this structure in their own books and help files:

switch(message_type)
{
case WM_CREATE: ...
case WM_LBUTTONDOWN: ...
etc...
default:
return DefWindowProc(hwnd, iMsgType, lParam, wParam);
}

Microsoft provides a moderately reasonable default procedure to fall out to, so that programmers don't have to write a case for every single one of the myriad standard messages.

The problem is that DefWindowProc doesn't check the validity of a code pointer before executing it, it just automatically jumps to any function specified in a WM_TIMER message.

So, without changing that function, any program that doesn't explicitly check for WM_TIMER is vulnerable... if there is a way to insert shellcode into the process' memory space. The exploit in the article can do it because Viruscan doesn't sanity-check their text boxes, so he can paste up to 4GB of material into the box, and tada.

Re:What a load of tripe.

[Assmasher]

>It is a Win32 vulnerability in that it is even >possible to have this kind of elevation of >priveleges by "poorly written" services. >Basically, any system service that interacts >with the desktop is vulnerable (virus scanners). >McAfee interacts with the desktop. This is bad >too.

If that is so, how do buffer overflow cracks manage to run themselves with elevated priviledges? Answer, they don't because the security level of the attacker is not the point of this 'flaw.' The point is that you can execute code at the level of another process by exploiting this 'overflow' like condition. Just as you can with many *nix applications. The fix for this IS the app. Of course, in fantasy land, the fix would be the OS...

Re:What a load of tripe.

[Uller-RM]

It is a Win32 vulnerability in that it is even possible to have this kind of elevation of priveleges by "poorly written" services. Basically, any system service that interacts with the desktop is vulnerable (virus scanners). McAfee interacts with the desktop. This is bad too.

By the same token, is it a UNIX or Linux vulnerability if I run an insecure daemon suid root and someone buffer overflows it to get root privs?

It does, it has a set a maxlength of 4. Unfortunately, the vulnerability allows this to be bypassed. I'm sure the GUI will complain when you press the OK button but since we never get that far, the app never gets a chance to check the length change.

I'd disagree with you there. Viruscan's assuming that nobody will fuck with its code (the worst mistake you can make when dealing with crackers) and that it'll never get more than 4 characters. Maybe it's just me, but I automatically check length whenever I do ANYTHING with a buffer, and usually I make a quick call to IsBadWritePtr(buf, len) or IsBadCodePtr(callbk) while I'm at it.

Yes, technically you can't prevent him from changing the text box's maxlength, short of subclassing the text box with a custom WndProc after initializing that discards said messages. But that doesn't mean you can't write your code in a robust manner.

It's too much to ask any app that doesn't use WM_TIMER to put in this handler in all their apps. Further, I bet WM_TIMER isn't the only message he could use to trigger code.

I grant you that - MSFT fucked up by writing DefWindowProc() to blindly execute a callback. However, while tricky, I don't think it's fair to say that it's an unfixable problem, or that this is any different from some of the assumptions made in glibc's functions.

Fortunately, the community tends to be able to fix these things by patching the source. There is no fix for this problem.

Yep.

No no no... you've cheated. As a system service, you already have priveleges

I was being sarcastic by that point. ^_^

Re:What a load of tripe.

[Glorat]

By the same token, is it a UNIX or Linux vulnerability if I run an insecure daemon suid root and someone buffer overflows it to get root privs?
There is a similarity and a distinction. The similarity is that yes, Mc Afee shouldn't make its service interact with the desktop. (Sidenote: Coulda sworn you could disable desktop interactivity... maybe it should be forced). The distinction is that *any* such app, no matter how well written is vulnerable.

Maybe it's just me, but I automatically check length whenever I do ANYTHING with a buffer
Same here but nobody a range check for *every* single text box you have on every *keypress* event. It's not even an industry standard to do that. That makes this buffer overflow is far more subtle than most.

Re:What a load of tripe.

[Uller-RM]

Same here but nobody a range check for *every* single text box you have on every *keypress* event. It's not even an industry standard to do that. That makes this buffer overflow is far more subtle than most.

Of course not - but if my keypress event involves copying text into a buffer, I'll be damned if I do it blindly. Doesn't mean I need to range check every single box, just the one that's being changed (and hence needing to be recopied).

"Not an industry standard" is hardly a valid excuse. You don't need to be paranoid on every single app and event you write, but "checking a buffer you're about to write into" is hardly some guru concept, it's damn near common sense.

Re:What a load of tripe.

[Glorat]

You're right in everything you say. Unfortunately, it's the Windoze code that is putting the text into the buffer when the WM_PASTE is issued, not you. You only get to know about it *after* it has been put into the buffer with some windows event.

If we wanna get real technical, Windoze *does* do a range check on the text box buffer on WM_PASTE... unfortunately, the previous window message set the buffer length to 4GB! You can't account for such code, hence it is not industry standard (or any standard for that matter) to check the text buffer on every change event since it is outside your code's juristiction

Re:What a load of tripe.

[Uller-RM]

Very true. However, keep in mind that it's not really an exploit to do this. We would like to hope that we could prevent anyone from changing its parameters except us, but short of subclassing a text box, we can't do that.

(Well, it actually wouldn't be too bad. We write a single WndProc that discards all messages except the essentials for operation (and NOT setup) and then call SetWindowLong after every initialization to "lock" it, call it again to unlock it with the default WndProc from the TEXT atom.)

Also consider that WM_PASTE is being issued from the textbox, and it's the textbox wndproc that's doing a DDE copy (or whatever they use these days for transfer in 2K/XP) from the clipboard to the text box's internal buffer. That's entirely client side.

The real vulnerability in this exploit is the lack of sanity checking on DefWindowProc's WM_TIMER handler, not the text box, since you could still look up the shellcode in the text box's buffer without having to copy it into your own. The text box is just one of the many unfortunate ways it could be abused, and a decent example of the more general problem of insecurity in the message dispatch design. However, there's no way to fix the general problem without breaking a number of apps - and we also can't really dismiss said apps as legacy, either. There's also a problem in that Windows doesn't take advantage of the x86's ability to mark blocks of memory as non-executable... but that's a whole other rant.

The only way I can see to prevent such abuses is to write a homebrew set of widgets that use genuine transactions to perform operations, providing security at the cost of performance. But then, if you allow the hacker to have a debugger installed on the system and ready to go, then you're also likely allowing him to replace the USER32 and KERNEL32 libraries with dummied ones, and really, nothing is safe.

Re:What a load of tripe.

[Mike_L]

The problem is that WM_TIMER is handled incorrectly by the Windows common control library. This means that every program that uses a standard Windows edit box, button, or scroll bar is probably vulnerable to this shatter exploit. Comctl32.dll IS part of Windows and hence it IS Microsoft's fault.

Re:What a load of tripe.

[jquirke]

Linux and FreeBSD don't really take advantage of the x86 ability to mark code as executable either. It's not just WinNT. Well technically the non-x86 ports do in the VM code, but the x86-specific VM code simple considers "executable" and "readable" the same thing.

No OSes these days really use segmentation to its slowness and complexity. They prefer to handle everything at page (VM) level, which really differentiates between system (ring0-2) and user (ring3) privilege levels. Also, x86 paging cannot change execution privileges on the code (this goes back to the design elements of the x86).

In order to implement something your suggesting would mean always screwing around the with GDT and LDT, and define regions in the virtual address space for each process for different purposes, in a manner which is inflexible.

--JQuirke

Re:What a load of tripe.

[dannannan]

Actually your WndProc will never be called in response to a WM_TIMER message. WM_TIMER messages are handled by a special case inside DispatchMessage, which is where the jump to the callback occurs. If you want to intercept WM_TIMER messages, you need to intercept them prior to calling DispatchMessage.

D

Re:What a load of tripe.

[dannannan]

You might want to go back and have a second look at your "secure" WndProc. WM_TIMER messages aren't sent to the WndProc when you call DispatchMessage. They're special-cased such that the callback occurs without invoking WndProc. You need to catch them before you call DispatchMessage.

Besides this technicality, the essence of your post makes sense.

D

Re:What a load of tripe.

[Old+Wolf]

No - the problem still occurs even if VirusScan does check the size of the edit control. It occurs even if VirusScan never looks at the contents of the edit control. The edit control automatically allocates memory when it receives a PASTE message. Even if you then access the edit control and say "give me your first 4 bytes" (or "truncate to 4 bytes"), the entire paste is still in the allocated memory, which is enough for this exploit to work.

To prevent this paste you would have to either filter WM_PASTE messages (and any other messages that have similar functions), and/or filter the message which sets the maximum length of text.

Re:What a load of tripe.

[samdu]

(Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.)

Doesn't THAT make it a Windows issue?!?!?!

-Sam

Nice try

[The+Bungi]

This is very interesting reading (not). This dude is a 30-something loser wannabe hacker that throws away all measure of the respect he was trying to obtain by peppering his "paper" with 1337 speallingz like "0wn" and "sploit" to feel more in the know.

His "technique" is kidde fare, nothing any experienced Windows developer doesn't know. His whole premise is based on the idea that "running as SYSTEM" is bad - SYSTEM is designed to be used to run non-interactive services such as SMTP or MSMQ. Installing a service requires administrative rights, as does telling the SCM (Service Control Manager) to allow a given service to interact with the desktop. Microsoft's response is the one I expected to see given how long this "vulnerability" has been known. If you must run a service that interacts with the desktop, run it under a local account which can be locked down and prevented from doing specific things. If anything, this is more the AV vendor's stupid mistake than anything else.

There are tons of actual, real vulnerabilities and problems in Windows (outside of IIS), and most of them reside in the shell code. But those are significantly more difficult to get at than this.

So Mr. "Foon" has proved himself a real bofoon, showed us he sorta kinda understands the process messaging architecture and he knows how to use a debugger and, h^xx0r him, netcat. Woopdedoo!

Not to criticize the editor's "integrity" of course. Who would even consider posting this article for half a million people to see before checking the facts.

Hey, I know! I'll get a website, a kewl IRC handle like "boon", post some techie-sounding text related to some vague problem with Windows and then call it a paper.

1. Paper
2. ???
3. Recognition! Fame! Fortune! Girls! Coverage! Beer! Girls!

Re:Nice try

[demaria]

1. Paper
2. Have it spread around and read by a bunch of people, hopefully being misunderstood by all as a major completely unfixable security hole in Windows.
3. Recognition! Fame! Fortune! Girls! Coverage! Beer! Girls!

Re:Nice try

Hi, Bill! So, are you going to eat Steve on the next episode of "Survivor 2.0"? Just give me a hint. I've got some money riding on it.

Re:Nice try

[Alsee]

Shouldn't that read Recognition! Fame! Fortune! Coverage! Beer! ?

I fail to see how post some techie-sounding text related to some vague problem with Windows is supposed to lead to girls :)

-

Poor MS users

Excerpt from the MS response:

Law #1-- "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,"
and Law #3 -- "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

Poor MS users, they finally admit it's not your computer anymore. 8P

not only that....

[CausticPuppy]

Isn't "available as a freelance blah blah" the same thing as "unemployed?"

I smell another motive here... what a convenient way to tell the world, and potential employers, about all your Mad SkillZ.

How do you rescind acceptance of the EULA?

[burgburgburg]

When the Windows Media Player patch came out, I installed it on a box that I sometimes use. It was only later that I found out about the DRM component of the EULA. I immediately removed WMP. But does that legally rescind my agreement?

I'm asking a legal question: does removal of the software constitute rescinding your agreement? Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

Re:How do you rescind acceptance of the EULA?

Microsoft OWNS your ass! ...and the rest of you, too.

Re:How do you rescind acceptance of the EULA?

[Bingo+Foo]

Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

Here is where many people get confused by legal definitions and concepts of property, contracts, and so forth. Allow me to attempt to clear this up: Microsoft does not "own" your box. In legal parlance, Microsoft "0wnz j00!!!!!"

Re:How do you rescind acceptance of the EULA?

[seann]

no, because you have every right to stop them even if you "agreed"

Re:How do you rescind acceptance of the EULA?

[AvitarX]

The EULA itself should tell you how to get out of it. Most likely deleting WMP would do, but they could very easily say "this contract is binding, blah blah you must delete all MS software to get out of it".

My warcraft III EULA says I must delete the program and destroy the media to rescind the contract after agreeing to it. Or before hand I can send them the unused media for a full refund.

Re:How do you rescind acceptance of the EULA?

[DavidBrown]

Well, if you violate the EULA, you are in breach of contract. If you remove the software, you will be limiting your damages to the damage you caused prior to the removal. But the real question is this: Is Microsoft going to sue you? No, unless there are damages.

Is Microsoft damaged if you use their products to steal music? No, unless Microsoft gets sued by RIAA for providing software that facilitates your violation of copyright and then loses, after which they'll come after you in an action for indemnity. Until then, Microsoft isn't going to get anything from you in a courtroom because you haven't caused them any damage at all - and that means until RIAA and the MPAA sue Microsoft, you don't have anything to worry about.

Re:How do you rescind acceptance of the EULA?

[Milican]

I think if I had more free time or perhaps I was super rich I would buy an @SSLOAD of WCIII CDs or any software and just send them back and demand a refund. That would be loads of fun, and I bet the media would laugh at it too.

JOhn

Re:How do you rescind acceptance of the EULA?

[AngusSF]

When the Windows Media Player patch came out, I installed it on a box that I sometimes use. It was only later that I found out about the DRM component of the EULA. I immediately removed WMP.

And just how, pray tell, did you do that? WMP is hard-wired in to my Win2k system; "removing" WMP 7.1 and patches just reverts to WMP 6.4, which is vulnerable to most of the same holes and requires the same patches.

Plus Win2kSP3 has the same EULA and we can expect future WinPatches to have the same EULA.

Time to find a different platform [sigh]

Re:How do you rescind acceptance of the EULA?

There is no contract in this case, which is why it is a EULA not a EULC. In the case of downloaded software there is no consideration to the supplier; therefore, there can be no contract. Since there is no contract, you can not breach the contract.

You can't but do that

[dg123]

In Windows, every application has a Window Handle, whether it displays a Window or not.

1. Just get the Window Handle of a high priority (hidden or not) application.
2. Find some control (probably not an Edit Box in this case, but anything) where you can paste text (or data).
3. Paste malicious code there.
4. Send the WM_TIMER message with the address of the malicious code.

Worse, if you do not know of any particular Window that has high privileges, why not write your malicious program so that it tries with every Windows ?

It may just be my imagination, but...

[xA40D]

Does this particular problem suggest that Windows was not designed as a true multi-user network server OS. All apps can be accessed via a single desktop regardless of who the user is? WTF?

I started to worry about this when the Microsoft support site suggested a valid fix to get MS-Money to work was to give the user full administrator access.

Now it looks like they've built the whole API with this mindset.

FOON is a BAPHOON

[johann909]

This foon character is a moron. He should of wrote a paper called, "How to speak authoritatively on things you know little about." This is not even a big deal because it requires physical access to a machine. With that level of access, you could kick the machine with a boot or throw a grenade at it. Nothing can be secure that way--even linux. Find some remote security holes that can comprimise "national security" This idiot made a fool of himself

sprintf() is nothing Linux-specific

[SLi]

What, by the way, makes you think sprintf() is only a problem on Linux? You do have that on Windows too, don't you?

This just in

[GoatEnigma]

My House, Universe of Highly Probable Parallels: In a recent twist on the discovery of a way of hijacking your MS Windows computer using simple API calls, it was revealed today that there is an undocumented API function called RIAATakeOverComputer() that can also be used to fully exploit Windows. Microsoft VP Jim Allchin could not be reached for comment as he was in security talks with RIAA executives...

Might want?

[The+Bungi]

You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

And you might want to learn how to give a "paper" the once over (at least) before allowing fucktards like this one to root you in front of all your readers.

Lazy Programmers

[Detritus]

I don't think that it is fair to characterize the original developers of Windows as lazy. The typical PC was running MS-DOS, a primitive single-user operating system, when they were making the fundamental decisions about the architecture and design of Windows. Many of the design decisions that people like to bitch about can be traced back to what was necessary to implement a usable GUI on a grossly underpowered computer without protected memory or any semblance of a modern operating system. The Macintosh developers made similar decisions when they implemented MacOS on an 8 MHz 68000 with 128K of RAM. There is a huge chasm between a single-user microcomputer with limited RAM, CPU and no networking, and a modern networked multitasking workstation with a security model.

Re:Lazy Programmers

[adam_megacz]

I don't think that it is fair to characterize the original developers of Windows as lazy.

No, and I don't consider them lazy. The people I consider lazy are the developers who didn't fix this design in future versions of windows.

The Macintosh developers made similar decisions when they implemented MacOS on an 8 MHz 68000 with 128K of RAM.

Yep, and Apple had the common sense to ditch that design and use a real OS for Mac OS X.

This is a flaw

[ChaosDiscordSimple]

At lot of people are saying that this is an application level problem and not a flaw in Windows. That is wrong.

The core result of the attack is that it is impossible for a high privilege program to display a GUI interface to a low privilege user. That is a silly limitation, certainly one that that other GUI systems like X Windows do not share. Sure, you can work around the weakness by having a low privilege GUI talk to a high privilege service over a local socket, but it shouldn't be necessary. This gross "fix" will complicate the situation, potentially opening additional security holes.

Microsoft tried to deflect the issue by hiding behind, "If the user is local to the machine, or can run his own binaries, he owns your machine." It sounds nice in theory, but falls apart when the "user" in question is actually an opportunistic virus looking to add the machine to a distributed denial of service cluster. Many corporate environments lock down the machines not for fear of user attack, but to limit the damage of viruses and other malware. If the malware can exploit this technique to gain elevated privileges, your security steps are worthless.

Ultimately, with a bit of care, a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise. If the operating system makes this impossible, the operation system has a flaw.

Re:This is a flaw

[Panaflex]

A comment on X:

X windows may possibly suffer from the same problem, though. Motif and AWT both use the Xt (X Intrinsics) code which does in fact use callbacks (simular to the WM_TIMER). Also, Xt allows applications to "talk" to one another through the X protocol and can understand paste from clipboards.

For an example, try running xedit and using editres to see this mechanism in action.

Though certainly, most people arn't running Xt based applications at root privelage levels... unless they're running SMIT or some other system management console.

Also, I believe it would be quite a bit more complicated to develop as Motif and AWT are complicated enough as it is.

Pan

Re:This is a flaw

[kevquinn]

It is perfectly possible to write the VirusScan thing properly in Windows. Microsoft even tell you how to do so, if you read all the stuff they've written about writing services, desktop apps and the like. Which you could reasonably expect a security software vendor to have done.

a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise

I disagree. It is unreasonable to expect the operating system to protect you from all possible types of badly written application. A high privilege program should restrict all means of interaction to a strict set that it can control and verify. In the case of VirusScan, the service should not be opening windows. By all means write unprivileged command line, gui, network etc applications which can use the single strictly controlled interface that the service handles, but don't expect to write the service to cope with any kind of input channel and demand that the OS protect you.

The simple (and obvious) way to write such software, is to write the privileged bit as a service (somewhat analogous to a daemon in Unix), and the GUI as a separate unprivileged user-land app. The service runs with whatever privileges are granted it, independent of the priviledge of the user logged in. The separate GUI application, running in the user space, communicates with the service by whatever method is convenient (defined strictly by the service). The service then checks all communications it receives for validity etc before processing any of it. This means that as long as the service checks its inputs properly, no malicious GUI app can force it to do things it shouldn't be doing.

The point is, Windows NT does not make this impossible. It does make it possible to write crap software that compromises security, but hey that's the case with any operating system. It's quite possible to write a 'su' replacement that doesn't check passwords, for example - there's a command line app idea that the OS won't protect you against, and it'd be handful of lines of C code.

It takes administrative rights to install the software; that's when it gets its privileges. In this case, it takes admin rights to install VirusScan, and that's when the security got compromised - the installation gave privileged rights to an application which opens windows on the user's desktop. I'm also not convinced that X isn't susceptible to the same issue; as far as I'm aware X uses a message queue to communicate between windows, the user etc - there's nothing in X to say you can't cause a buffer overflow in an application by sending it a malicious message, it's up to the application to check its inputs, and that includes its messages.

One thing this does show, is that closed-source software can't be trusted in the same way that open source can. It's a lot harder to perform a useful security audit on your system if you don't have the source code to the privileged applications you want to install. How would you determine that VirusScan violates the design guidelines for secure services, short of cracking it (which presumably violates the DMCA of course)?

Of interest, I wonder if the McAfee stuff has the same basic design flaw...

Re:This is a flaw

[Omnifarious]

Actually though, X doesn't really have this flaw.

Cut & Paste is handled very differently in X, and it's much easier to handle someone trying to paste evil things into your application. Cut & Paste is largely a set of agreements on how setting various window properties should be interpreted. X has no 'built in' cut & paste mechanism.

Also, X clear labels events that are from other processes, and not from X itself. So, in X, it's pretty easy to ignore events that are generated by other programs, not by the system.

Also, Motif, Xt, etc. all don't get the addresses of the callback to call from the X server. They look at the event stream from the X server, and decide which callback needs calling. A application that posted internal addresses to the X server and expected to get them back intact would be nieve in the extreme, and clearly poorly written. Whrereas that technique is the accepted way of doing things in Windows.

Is this the Allchin bug?

[Old+time+hacker]

Do you think that this problem is the one that Jim Allchin described as dangerous to national security?

If it is, then it seems a bit dishonest for the microsoft message author (Dave at the Security Response Center) to say that they don't consider it to be a bug.

If it isn't, then there must be another problem which is even more serious. Oh dear!

Re:Is this the Allchin bug?

I wondered if anyone else thought of this.

If you and I are "correct", which makes sense as a local-only exploit likely doesn't "threaten national security", then that implies that the larger issue of which he spoke is *not* a local exploit.

Makes you wonder why he said 'protocol' and 'coding error'. Makes it harder to find it, as the API documentation wouldn't indicate where a problem might be found - only by verifying protocol behaviour against the API docs, in all possible combinations of inputs & sequences of operations, could you find such a problem.

It's not trivial, but it is worrisome nonetheless.

Part of me hopes this is exactly what the gent was talking about...but I really don't believe that :-/

Re:here we go

Who this effects? Try every corporation running windows, every university, all government offices running windows and so on. In these, all non-admins have less than admin access, and with this, they can gain admin access. You, sir (or madam), are an idiot.

MOD PARENT UP

[MORTAR_COMBAT!]

and then mod me down. posting this one at +1 to attempt to get some attention...

um...

[sootman]

Is this just a Win32 problem? Probably, yes. The only mainstream competitor to Windows in terms of windowing systems is X windows.

*cough*Mac*cough*

Re:um...

[bnenning]

That reminds me, Mac OS X had a vaguely similar local exploit last year. If you ran a UI program that was suid root (such as NetInfo Manager), when in that program you could use the Apple menu to launch recent items as root. So launch Terminal as unprivileged user, quit, launch NetInfo Manager, select Terminal from Apple menu, and you get a root shell.

Apple released a fix within 48 hours of discovery, and as far as I know Mac OS X doesn't allow user processes to arbitrarily twiddle UI elements of other apps.

Re:um...

[tuxedobob]

I'd say that's a pretty good response time. Not as good as the webmail issue, which was less than a day, but still pretty fast.

Palladium - Not all SW is COTS

[TomDLux]

Off-the-shelf software makes up a small part of all the software that is used.

• Unix power users & sysadmins write scripts and programs; I assume that Windows users and sysadmins do the the same.
• Large corporations develop custom software to do things the way they want.
• Scientists and engineers write programs to process their data because nothing exists to do what they need.
• At universities, colleges and high schools areound the world, students write programs.
• And let's not forget all the software developers everywhere, writing the code which will eventually be assigned keys

How will all these un-keyed programs run on Palladium?

Unfixable?

I don't see why this is unfixable. The program that actually must see and use the windows of another program is rare, and I would contend that such programs are poorly written and should be redesigned using some true method of IPC. It may break programs, but I personally don't see any issue with doing such if it prevents this from being attacked. For example there is no reason that a program should be able to send WM_TIMER to any other program. That message should be restricted entirely to the current process only. Perhaps the entire control message range can be locked while keeping the WM_USER band open to communication between PID.

Unfixable my a...

[OldMiner]

Your primary problem here is that messages are being sent which aren't expected. Most message processing routines just toss these messages off to DefWindowProc(), which is what's doing the damage here. You could fix a few of the problems stated here, especially the abuse of the callaback function with a timer, by simply making DefWindowProc() do nothing as the default behavior with certain messages. This would reduce the effectiveness of attacks to those that utilize messages intercepted by programs which are not properly checked. For the adventurous among the readers, user32.dll defines DefWindowProc(). Feel free to write it as you please. Granted, there are fundamental problems in Windows that are nearly unfixable without a huge redesign. This is not one of them.

Bill's fault

Isn't the point that if an app is running as guest then functions that mess with other processes should fail? The debugger must be using CreateRemoteThread or *something* to run code in another process.

Have to be local? So what!

[somekindofuniguy]

To all of those people who say "this isn't a big issue, it's only a local exploit", I ask them to consider poor people like me, who run open-access computer labs at Universities. It's not like we can put a firewall between us and the exploits, is it?

Slashdot became a tabloid and I didn't even notice

When was the last time there was something newsworthy posted on slashdot?

I sware for a while there I was able to pick up material that could kinda be classed as 'news' on this site...

Ahh well, at least the register still reports news.

I don't know where to begin...

...flaming this idiotic story, let alone the idiotic responses. If you would like me to completely debunk this "vulnerability", email me at the address:
get@fucking.clue

This ain't anything

[fudgefactor7]

So you can hack Windows once you're in... wow. I agree with MS on this one, this isn't either new or a vulnerability, per se. It is annoying, but that's how it goes. Besides using a proggie to up your rights once you own a box is silly, if you owned the box correctly you'd be root/Administrator and then it wouldn't matter now would it?

BFD

[ToasterTester]

My answer is what took him so long to get around looking at the Win32 APIs. Hey dude there's a whole another world of undocumented API's to play with too. Windows has security holes, that is so five minutes ago. Show me an major OS that doesn't have security patches rolling out. Yes even OpenBSD has security patches. It's a fact of life when your code base of that large.

My Mouse

[JewFish]

Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between.

My mouse does the same thing as these exploits! I can take control of any window on my desktop with it. Guess I will have to keep visiting windowsupdate.microsoft.com looking for a solution to this mouse problem.

Windows, or API in general?

[EdMcMan]

IMHO this is more of a design problem, than a problem with Windows. The same problem is in X, too. Otherwise, window managers wouldn't be available (doh). Likewise with Windows, stuff like Windowblinds wouldn't work without these "features".

From the interview: So if you get code and it's not from anyone you trust, you can choose to not run it.

Well, that's good. /. made it sound like Microsoft would be able to decide what everyone could run. I'm not sure why I care anyway, there's no way I will ever run Palladium or get a "security chip".

Unfixable?

[hackwrench]

As far as I know all an update to Windows would have to do is check the privlege levels of the requesting application and the target application and if they don't match, it isn't going to happen.

Windows servers vulnerability

[Animats]

One big issue here is vulnerability of Windows servers. Anything that can execute code and can talk to the Windows message queue can own the box.

This is an issue for Terminal Server and for shared-hosting operations. It's also an issue if someone finds a Windows servlet with an exploitable buffer overflow. But if IIS is already running as administrator, as soon as you find a server-side buffer overflow, you're done anyway.

It's a nonissue only because Windows security already sucks.

Hey MORON

How does a distributed API like .NET fix a problem where a process can grab control of another process's windows?

Sounds like a pretty fundamental flaw, indeed.

FOON == SIMPLETON

A beautiful display of the depth of FOON's self-proclaimed godlike expertise:

Note down the memory location that the string appears at; it'll probably appear a couple of times, don't ask me why.

Somebody needs a lesson in memory segmentation, eh?

Don't worry too much

[p3d0]

This guy is so full of himself, I don't know how he could be taken seriously. He wants us to think he's David for MS's Goliath, and he has just discovered his sling. Well, I'll believe it when I see it.

If you have the patience to read through his smarmy instructions on how to reproduce the defect, you'll discover that he has indeed hit upon a rather serious security flaw. He then proceeds to give three strawmen--er, I mean possible solutions to the problem--and argues that since these three things can't fix it, nothing can. Well, I'm not convinced.

What if Windows' messaging were changed so that certain messages that are considered insecure (like WM_TIMER) can only be sent to windows owned by the sending process? What if the text inside an edit control were held in some piece of memory with no execute priviledges? These are two things that, I think, could solve this problem immediately, with little inconvenience to users.

Also, check out this guy's pompous letter to Microsoft, in which he states, "Since Microsoft already know about this issue, and any of your programmers will be able to replicate and verify the issue in less than an hour given the information in my advisory, I'm not prepared to wait very long." Clearly this, er, fellow has no experience in large software companies. Even good software has perhaps hundreds of defects outstanding at any given moment, at various levels of urgency, competing for developers' attention. Apparently he either thinks he's so important that he can jump the queue, or else he imagines that these armies of developers are sitting idly at their desks waiting for people like him to give them something to do.

Well, that's enough ranting. The upshot of it is, I wouldn't be too woried. He has not done a Jenga on Windows.

Re:Don't worry too much

[p3d0]

Good lord, take a look at the author's bio: http://security.tombom.co.uk/aboutfoon.html.

'Nuff said.

Re:Don't worry too much

That's awesome.

I yarked coffee out my nose and pissed my pants (not enough that my undies couldn't handle it, but still.)

Links like that are why I read slashdot.

The guy is in student digs and very bored.

Another unhappy computer science student, who has not quite graduated out of sixth-form ego-trips.

I take it you learned VBScript before you taught yourself zx81 basic/asm.

Ego-fuck-wit.

Just to troll a bit...

[PissingInTheWind]

That's why command-line interface are so superior!!!

Now watch my badassbashskillz...

You're stoopid

[tlhf]

"I would like to point out that Java runs just fine under Linux."

He never said it wouldn't. What he said was that between Java and .Net there would be an improvement in the security of applications running on the Windows platform.

He isn't considering whether .Net will live up to the hype or not; he's just stating that the security frameworks implemented in .Net and Java will create a more secure system.

tlhf
Oh - and nice arbitrary '2-5 years' figure. Making up figures make your point seem more valid....

Re:You're stoopid

[Hostile17]

He makes a valid argument against Microsofts track record of producing software that does not work as promised, while you have trouble spelling simple words, HMM who am I going listen to.

BTW, it is spelled STUPID

Two other discussions?

[AndyMouse+GoHard]

You just threw away two points, saying they're for other discussions. But your point is, they shouldn't crash the OS and *do*. So they are relevant, IMHO.

Bill

Re:Two other discussions?

[Bungie]

I've seen production Linux servers drop dead in their tracks because of SCSI driver bugs. Our tape backup program would attempt to backup to our SCSI tape drive, and then suddenly you would be looking at a kernel panic and a stack dump.

I've also seen some OSX boxes core dump while running iTunes, because of their USB sound drivers.

Every OS crashes because of driver problems. Windows is not the only one.

Re:FP

[DaveAtFraud]

Noise

I get blue screens all them time

[MasteroftheVoxel]

My brand-new Sony Vaio laptop crashes frequently
*on bootup* with a blue screen of death.

Its running XP home

Re:I get blue screens all them time

[robhancock]

Then I would say you most likely have a busted laptop..

Re:I get blue screens all them time

[Jerry]

Not necessarily.

I purchased a new Sony VAIO on 12/29/96. It came with Win95 preinstalled. I used it primarily to write client software using a variety of GUI RAD tools, from VB to PB to VFP. Between 1/1/97 and 4/30/97 I had to reinstall Win95 FIVE times. This doesn't count the nearly countless crashes, data loss, reboots, the "Medi-Kit" action, etc, etc. I've had a computer in my home office since 1978, but never had I experienced the kinds of instability that Win95 brought to me. By May of 97 I was sick and tired of the crashes and decided to return to OS/2, which rarely crashed on me. I was at the book store looking for a good manual for OS/2 when I saw a book by Bill Bush entitled "Learn Linux in 24 hours". It had a RH 5.0 CD in the back of the book. I partitioned my HD and installed RH on the second partition. RH 5.0 never crashed on that Sony, which became a sold as the Rock of Gibralter. The only thing that changed was the OS. In the fall of 97 I switched to SuSE and used it till a couple of months ago, when I switched to Mandrake. SuSE was rock sold on that Sony, which became my wife's box in Feb of 2000, when I got a 1GHz Athlon. In the last five years I have had only a couple of crashes: one caused by an experimental C++ program that I wrote. Six months ago, with SuSE 7.3 still installed, we gave the Sony to a family doing home schooling. They've reported no crashed to date.

At work I use a W2K on one partition and Mandrake 8.2 - KDE 3.0.2 on the other partition. The W2K side crashes 4-5 times per week (six MSCEs can't keep it up!). The Mandrake (formely SuSE) side has never crashed. Same machine, same network ... different OS.

Re:I get blue screens all them time

[Reziac]

I don't doubt your experiences, but I've also heard that some of the WinDrivers for the Sony Vaio series suck to the point that you can't expect stability if you're using them. However with fully updated BIOS and drivers, there's no reason to expect Windows to misbehave on that system -- unless it's a model that has some flaw that tickles Windows but not linux.

As an example (albeit in the opposite direction) in my collexion I have a buggy 486 CPU that runs Windows just fine, but throws up all over OS/2 Warp3, and also pukes on some 32bit DOS programs -- and tho I've not tried it, I'd bet it would refuse to play with linux.

Re:I get blue screens all them time

Load some lame-ass version of linux and get to the command line! man your stupid if you didn't know that.

Re:I get blue screens all them time

The W2K side crashes 4-5 times per week (six MSCEs can't keep it up!).

I have seen very little halt Win2K. If you have six techs that can't keep it running then you should get them fired.

this "paper"

Where exactly was this "paper" published?

Putting up a plain text webpage with some lame ramblings about some well known programming mistakes does not count as publishing a paper.

What a fucking retard.

In the dictionary next to POSER there is a picture of Chris Paget.

Amen to this

[apankrat]

Couldn't said it better myself :)

Problems with X too?

[micahjd]

I know that the way X handles messages and the way Win32 handles messages are completely different, but there could be similar problems with X too.

Currently the X server almost always runs as root because it needs direct hardware access for accelerated video. If there were a buffer overflow bug or something similar in XFree86, a malicious X client could run code as root. This needn't even be in XFree86, it could be in an extension that isn't tested as well. For all we know, the binary NVidia drivers may be exploitable.

This IMHO is a great argument to stop running X as root and just implement acceleration in the kernel framebuffer driver when necessary.

Re:FP

[DaveAtFraud]

Like I said, noise.

Less tripe than you suggest.

[HopeOS]

I disagree with this assessment for several reasons. Even if the virus scanner code is junk, the attacker is successfully manipulating this program in ways that the program should not have to deal with.

1. If the program creates an edit control and specifies that the maximum input size is X, then it better stay X until it is changed by authorized code- namely the process that created it.

2. The means for fetching text out of that edit control is WM_GETTEXT. This message takes a destination buffer length as a parameter. It should not be possible to overrun the destination buffer regardless of how many characters are in the edit control. The input would merely be truncated.

3. The exploit code is most likely in the edit control's internal buffer- not the application's dynamic memory. Unless the user clicks OK or some sort of OnChanged handler has copied that data to a new location, the application has not had the chance to touch it. The attacker merely needs to guess the location of the edit control's internal buffer. Apparently, it's less difficult than one would hope.

And finally, even if none of that were the case:

4. Being able to send any message that passes a pointer across applications is foolish. I could send WM_GETTEXT or a raft of similar calls to an application and have it trash itself. The destination address could be any valid place in the target's dynamic memory. If the application attempted to validate the pointer, it would pass. Moreover, important information resides in dynamic memory, not the least of which is the vtbl pointers of important objects like MFC's global CWinApp.

Now, I have a question. How is that this code can be executed at all? Unless the permissions on the pages holding the exploit code permit execution, I don't see how the exploit can even run. Instead, I would expect to see some sort of access violation. Apparently not.

I will research this more.

-Hope

Re:Less tripe than you suggest.

[Uller-RM]

1. If the program creates an edit control and specifies that the maximum input size is X, then it better stay X until it is changed by authorized code- namely the process that created it.

I'd agree with you. Practically, Windows doesn't provide a mechanism for finding the originating thread of a message, and I doubt they'll hack one in now.

The exploit code is most likely in the edit control's internal buffer- not the application's dynamic memory. Unless the user clicks OK or some sort of OnChanged handler has copied that data to a new location, the application has not had the chance to touch it. The attacker merely needs to guess the location of the edit control's internal buffer. Apparently, it's less difficult than one would hope.

The child window's memory is still inside the parent's process, on the heap. It's actually quite difficult to locate algorithmically, though - he admits in the article that his technique relies on attaching a debugger to the process and searching system memory byte-by-byte for the string FOON.

That, and he mentions a buffer overflow, so unless he's using terms he doesn't understand and assumed that happened, the textbox is sending an EM_CHANGED message to its parent window. In reality I think his debugger's just finding it in the textbox and executing out out of there. See next para.

Now, I have a question. How is that this code can be executed at all? Unless the permissions on the pages holding the exploit code permit execution, I don't see how the exploit can even run. Instead, I would expect to see some sort of access violation. Apparently not.

None of the current Windows handles clear the execute bit in the GDT/LDT tables. Ya, I think it's stupid too.

whatever

This guy is just another fat ugly wannabe hax0r.

Ignorance is Strength?

The fellow that wrote this paper lacks an understanding of how X works. Using Xlib I can do essentially what this does in Windows with XSendEvent in X. People have known about this exploit for years in X. You need this capability for things like drag and drop and it comes in handy for application testing/automating. XTerm actually has a resource to enable/disable events sent via XSendEvent. I don't consider it much of an issue. As long as the programs you are running are trusted then you should be safe. I sincerely hope that this doesn't encourage kids to start writing awful hacks that end up deleting the files of a user. I don't consider this a flaw in Windows, because disabling this feature would severely limit Windows.

That's not the way it's documented

[BCoates]

Microsoft's documentation for WM_TIMER indicates that the code is run by the "Default Window Procedure". This is DefWindowProc, the function you call to handle messages that have gone unhandled by the application. If this is correct, the problem is fixable; the application needs to simply not call DefWindowProc for WM_TIMER messages with non-zero second parameters (unless it actually wants the code in question called).

This could be solved without major disruption in windows if DefWindowProc simply checked the address passed to it against a list of functions that had been previously registered by the process with SetTimer().

I haven't personally verified this, it's possible that the documentation is incorrect.

--
Benjamin Coates

What about ...

[vovin]

Why do all that work just for WM_TIMER? Why not just go for the throat by sub-classing any window with privs? SetWindowLongPtr

LONG cbMyProc(HWND hWnd, LONG uMsg, LONG wParam, LONG lParam)
{
/* Any sploit you like. */
}
hwnd = FindWindowWithRoot();
cbProc = SetWindowLongPtr(hwnd, GWLP_WNDPROC, cbMyProc);
/* doesn't matter what you send,
it call cbMyProc() to process it */
SendMessage( hwnd, msg, wp, lp );

Now cbMyProc is the message handler for all msgs to hwnd, any code in cbMyProc is executed within the memory space, and priv of the target.

What about Macs?

[sv0f]

The author writes:

Is this just a Win32 problem?

Probably, yes. The only mainstream competitor to Windows in terms of windowing systems is X windows. X is based on a similar underlying technique, that of queueing messages that are passed between windows.

Are Macs susceptible to such an attack?

reply to this:

[RelliK]

Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.

The author has addressed Microsoft's response in his writeup. Given that there are numerous windows running as LocalSystem on any desktop, Microsoft's response is a load of tripe.

Heh, not exactly the first program.....

Check out Enabler on my site, this program has been around for over a year and does what you describe and more.

http://www.securitysoftware.cc/Programs/Enabler. ex e

-Pertinax

Re:here we go

[DaveAtFraud]

Too bad you got modded down for being off topic. Good response though.

huh?.

[BCoates]

Um, the documentation you pointed to says

The SetWindowLongPtr function fails if the window specified by the hWnd parameter does not belong to the same process as the calling thread.

Making it not terribly useful for priveledge escalation.

--
Benjamin Coates

Re:huh?.

[vovin]

Damn. Dunno why I didn't see that. Guess I don't read too well.

So what's to stop WM_TIMER call backs from checking against the cache of call back funcs set via SetTimer() - which is presumably the only way to get WM_TIMER to execute a callback?

Wouldn't that be a reasonable fix for this bug?

Other than GetText()/SetText() and COPYDATA I don't know of any way to cross application memory spaces via the Message Queue. (Other methods are named pipes, memory mapped files, and dde).

It appears to me that GetText()/SetText() calls are the only vector that all win32 gui applications cannot work around.

COPYDATA, DDE, Named Pipes and Memory Mapped are all used for IPC inter-process communication. All those IPC methods require non-trival, non-default support. Not what I would consider a Win32 core vulnerability.

Of course this also means you can't 'trust' any of the core widgets - you have to have your own 'non-conforming' versions that don't respond to GetText() and SetText().

This is the absolute stupidest thing Ive ever hear

[gamorck]

Look... I'm in no hurry to defend Microsoft but being as I develop for their OS on a daily basis - its common knowledge (or should be) that anybody who runs a service under system privileges that presents a GUI to any old user - is a fucktard that simply needs to die. Yes this problem can be fixed by MS using the 2nd option indicated in the paper and yes it would mean these crappy designed apps written by third parties would have to be rewritten.

Microsoft specifically reccommends that you do not run services and allow them to interact with the local desktop. Doing so is security suicide. Thats how VirusScan was running. Therefore its a McAfee issue since there are about a bazillion better ways to write this app.

J

Odd and ends...

[Mathness]

Microsoft also is trying to take security more seriously.

One can only guess at what jokes they make...

Worker1: knock knock.
Worker2: who's there?
Worker1: CQ.
Worker2: CQ Who?
Worker1: Security.

It would help if the author understood windows...

[dark+druid]

This is not a security vulnerability in windows. In windows the security boundary for GUI objects is the window station/desktop. Within the same winstation or desktop you can send any message to any window you want. You can set ACLs on the window station to prevent low privileged users from accessing a window station or desktop. Services by default run in an isolated winsta/desktop on a per user basis (i.e. all the SYSTEM services share a winsta/desktop). No low privileged app can send anything to that desktop. If you check the let this service interact with the desktop option for a service then it is moved into the main user window station and desktop. That service can then present UI to the first user which logs into the system if it wants. The service also gets all the security risks of running in that desktop. If you choose that option then you get what you asked for and need to secure that code for running in the interactive session. Running this way also doesn't work with fast user switching or terminal server since you can have multiple users logged in at the same time. If a service wants to present UI to the user then it needs to run in a client server model and a process running in the user session and communicate back to the parent using COM/RPC/whatever.

Nevermind.....

Spoke too soon. My program just controls windows and other objects in applications. No code insertion.

Doesn't seem like a good way to execute code with higher privledges anyway. Dll insertion techniques have been well known for some time.

-Pertinax

Windows are opened, Windows are broken....

[Anna+Merikin]

Yesterday, on one of those rare occasions that I was using my Windows partition and surfing along downloading an mp3, I decided to preview my selection before it was complete...and, lo, my hard disk starts churning and Netsape (my default browser because of the requirements of Britannica -- thank you!) opens to a pr0n page! When I think of what a black-hat hacker might have done had I allowed IE to be my default browser or use MS Outlook express and its addressbook, I am driven back to Linux. I DO believe one gives up all control of one's computer when using Windows. Don't know why, exactly, but it's so.

Solution

Mod this fucker up, I think I fixed it... well, almost. I'm not done, but I've got one function down out of a dozen, and with the method operating, the rest is cake.

Windows hooking permits the forced injection of a DLL into the space of all processes. From here I can access the Import Access Table (IAT) of all processes. From here I can find and redirect the IAT of the messaging functions back to my injected DLL. From here I can compare the hWnd to the PID for control range messages to ensure that the message is valid. Then I could either eat the message, or continue the original IAT address of the function to continue it on it's merry way. I'll post back if/when I completely succeed.

I don't believe it is the responsibility of the receiving process to have to validate window messages beyond it's own functionality. That is the job of the OS. The OS doesn't do it, so I'll make it the job of the sending process.

An evolving concept...

[vsprintf]

from the interview:

Are you issuing more security alerts because you are looking for more bugs?

By pulling the Windows developers off--8,000 (to) 8,500 people--for a couple of months to look for stuff, if you put that many eyes on it, they're going to find stuff.

It's pretty obvious that not all 8,000 developers were looking at the same line of code. So, followed to the logical conclusion, MS admits that open source software is more trustworthy. Endgame.

Comment removed

[account_deleted]

Comment removed based on user account deletion

sounds pretty arrogent...

to say that its unfixable. sounds like fud to me trying to smear microsoft from somebody who has no idea what they're talking about.

If someone will contact Theo de Raadt ...

[derdamon]

...inform him he has been presented with an opportunity to obtain additional funding for the OpenBSD project, with many thanks to the copyright violation perpetrated by Scott Charney. "Secure by Default" is the intellectual property of the OpenBSD project. The footer of the OpenBSD homepage clearly indicates a copyright notice, and the evidence of violation can be found here:

http://www.openbsd.org/security.html#default

So, looks like Microsoft will have to settle for SD2.

---
If pro is the opposite of con, what is the opposite of progress?

it's the vendors' fault

[commodoresloat]

Yah, it's the vendor's fault for not treating the insecure services running "windowless" under Windows as damage and routing around them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

What a forward-looking strategy...

[kpansky]

With the MS Palladium initiative "you will have "trusted agents"--pieces of code that are signed by people you trust. This is a good thing because it can eliminate a lot of viruses. So if you get code and it's not from anyone you trust, you can choose to not run it."

Sounds alot like me using ./run_program or rm -fr run_program. Brilliant.

Why are people pretending this is not a problem?

[tlambert]

Why are people pretending that this is not a problem with the design of Windows?

It seems perfectly obvious to me that all you would have to do to fix this would be to associate applications credentials with messages as they are passed around, and not permit messages from a process with a lower priviledge to be sent to a process with a higher priviledge, unless a security association is established.

This would mean changing the messaging API, but it's fixable. It would merely mean recompiling all third party code that needed t communicate across priviledge boundaries, and adding code to programs designed to operate at higher priviledges to accept the new message type, rather than dropping it on the floor (making that the default), and make a decision based on that.

This is the standard "capabilities" security model, and is the same model that used for NT file permissions, in terms of a hierarchical inherited rights arrangement.

There would be a significant impact on "remote control", some install tools, and other packages that are not written with the idea of priviledge domain seperation, but it's *possible* to fix.

-- Terry

Takes 1min for me

[Snoopy77]

At my work most of us developers have a task manager window running, executed using the 'at' command. This means the task manager is running as LocalSystem and can kill practically anything. Especially good for bugs which cause endless warning boxes to appear.

Go to file|new task and run cmd. Do a whoami to see who you are now 'NT_AUTHORITY\SYSTEM'.

Now I believe this one is wholly an MS problem. Their OS, their at command, their task manager.

another way..

[mian]

We've actually been doing this for a couple of years with a couple of methods and used them in legitimate software products, one being eFX a Window GUI changer and another being Napigator v2.0+ but a different and what I believe is more powerful approach since you don't need to paste code into edit boxes and use debuggers was formed.

Step 1: Howto get into another processes memory space

The easiest way todo this is via a global system-hook, or via a DLL that you must put in a special regkey and Windows will automatically load your DLL into every process as it starts, another more complicated method is to use CreateRemoteThread() (NT only?) and run a small function which performs LoadLibrary() on the DLL of your choice. I'll refer to a hook method for now as it's simple and works on all flavours of 32-bit Windows. SetWindowsHookEx documentation Usually this function is only used to set a hook within the specified thread ID to keep the hook localized however by setting the thread ID to 0 and putting the HOOKPROC inside a DLL and using WH_CBT, WH_GETMESSAGE etc hooks, Windows will automatically load your hook DLL into each process which the hook applies to which is usually all of them. That's it.

Step 2: Doing something useful

If you chose to use WH_GETMESSAGE for your hook then you have a hook function which is being called each time a process calls GetMessage() as part of its message loop, during the time in GetMessage() you are in the processes memory space as if it was your own and you may execute any code you like, prevent the process from getting messages.. whatever you like.. since we're on the discussion of exploits though let's do something interesting and take over the process.

Step 3: API hooking

When a process calls a shared function from a DLL it looks up the address of the function in the import table of the process. This is the main executable PE usually but you can also do recursive API hooking and modify the IATs of each module/DLL loaded in the same way. If you want to learn more on that just study up on the PE module format. My method of API hooking works by modifying the import table to change the address of where the actual functions are. This lets you replace shared DLL functions including most of the Win32 API with your own, here's a small example.

int (PASCAL FAR *orig_connect)(SOCKET s, const struct sockaddr FAR *name, int namelen) = 0;

int PASCAL FAR new_connect(SOCKET s, const struct sockaddr FAR *name, int namelen)
{
printf("[new_connect] socket(0x%08X) host(%s) port(%d) orig_connect(0x%08X)\n",
s, inet_ntoa(((struct sockaddr_in *)name)->sin_addr), ntohs(((struct sockaddr_in *)name)->sin_port), orig_connect);

return orig_connect(s, name, namelen);
}

Now to actually install the hook i've written a universal function kind of like GetProcAddress() todo it for me, I can't divulge the code because its company property however it's pretty easy to figure out if anyone needs todo it. The place I choose to install the hook is in DllMain() which is called when your DLL is loaded into each process, so you could hook every process running on the system since the global system hook we set earlier will be loading us into all of them or you could for example use GetModuleFileName(GetModuleHandle(0)...) to see which process you are now working in and if you want to hook it.

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
(FARPROC&)orig_connect = HookModuleImport(GetModuleHandle(0), "WSOCK32.DLL", (LPCSTR)4, (PROC)new_connect, TRUE);
}
break;
}
return TRUE;
}

PROC HookModuleImport(HMODULE hModule, LPCSTR szModule, LPCSTR szImport, PROC pNewProc, BOOL bOrdinal);

The first parameter to the function is the process of whos import table you wish to modify, all you have todo is build up the PE headers and you'll get there. The second parameter is the module which contains the function you want to replace, in this case its WSOCK32.DLL. The third parameter is normally the function name however we are hooking by ordinal instead here because the string "connect" wasn't available to search for with this particular module, I can't remember the exact details but I think it was Windows 2000 copy only exported ordinals but not exactly sure off hand has been a while. The fourth parameter is the address of the new function and the last just says to look for ordinals instead of strings. The address of the old function is returned so you can call it if you wish or un-install your hook by calling HookModuleImport again with orig_connect as parater 4 (a good place todo this is in DLL_PROCESS_DETACH).

Whats happening now is in the process whos IAT we patched, each time it calls the Winsock connect() function, our new_connect is now called instead. We can do anything we like here, calling SetLastError(WSAECONNREFUSED); return SOCKET_ERROR; would make the particular process think the connection was refused (hmm, how bout a filter that prevents all spyware from connecting to its destination on every process on the system transparently by checking the destination address). I've only used Winsock::connect() as an example but this method can be applied to any function a process imports in any DLL (if you have VC++ just type dumpbin /imports blah.exe to see what's available for the taking).

the deployment mechanism is there

[LordXarph]

we have seen working code that demonstrates how to get backdoor software onto an internal, secured network.

It's called spyware, and its deployment mechanism is Kazaa.

You want to root a bunch of machines? Write a piece of spyware, and hook it into the latest and greatest gnutella client. Grab the Gnotella source, patch your exploit into it, and release it, and the source to comply with GPL.

Do you know how many people blindly download and install GPL'd apps because the presence of source gives them a false sense of security? A lot. You know who installs closed-source, non-GPLed software because they think it looks cool or assume it's safe because they have a .com address with no ~ in the url? Even more.

One word: Webshots.

Webshots is on so many damned systems in internal, "secured" networks that you couldn't root it out if you tried. All it does is change the wallpaper for those too dumb to figure out how to do it themselves. It also installs a load of fun tracking and marketing tools. These people proved you can make software do something that IS ALREADY BUILT INTO THE OS and people will blindly download it and install it. And if the spyware you bundle with it isn't spyware and is instead a remote controller for DDOS attacks, have fun. It's a field day.

Whine about how "well, their network doesn't lock down their computers so they deserve it" all you want. This affects EVERYONE, not just the dumb receptionist who wants bonzi buddy on her laptop. If someone distributes a DDOS zombie client in a popular free download (like the next AIM or something), some poor dude who runs a blog on his bedroom DSL who has never even HEARD of these insecured networks is going to be on the receiving end of it.

And don't get me started on how easy it is to reset the local admin password on a locked down company laptop to give bonzi buddy admin rights.

Xarph's first law of root paranoia: There are more idiots with root in the world than there are locked-down users.

Xarph's second law of root paranoia: Everyone has console access to the dumb terminal they're sitting at.

-Lx?

Giving Our PC's to Microsoft

[browrp]

Ok, so I took a look at the paper and then the e-mail response from Microsoft; and found this in the 4th paragraph, "In our essay, the 'Ten Immutable Laws of Security'i, these are Law #1-- "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore," and Law #3 -- "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." (see http://www.microsoft.com/technet/columns/security/ essays/10imlaws.asp for the full essay)."

So does this mean when those of us apply the Microsoft backdoors, I mean Service Packs to our systems, that give them unrestricted access to our systems, aren't we breaking one of Microsoft's rules, rule #3? I guess if it favors them it really doesn't matter.
Yeah those of us who run Microsoft software probably should deal with it; but it does raise some interesting ideas, expecially with Palladium. I guess if it [Palladium] comes about, those of us who run it truly will not own a PC, Microsoft will.

This guy is an IDIOT

[t0ny]

What this guy's *supposed* Windows shattering discovery does is allow a person to gain further control of AN ALREADY COMPROMISED COMPUTER. So if you do a good job of securing your computers, his "Windows Shattering" code is worthless. Not only that, but he isnt even using Windows to do it, he is using third-party programs. So the flaws are with programs that interface into Windows, and not Windows itself. Nice troll...

That's what happens when you do it wrong

[rabtech]

One of the primary rules when designing a service is that a service does not provide ANY USER INTERFACE WHATSOEVER.

A service listens on a TCP/IP port, named pipe, etc. If the virusscan writers had written their stuff PROPERLY, it would run the virusscanning engine as a service, and the user interface would be a user-mode program, posting and receiving messages from the service via named pipes or an IP port or whatever.

Imagine that you had a daemon running as root on your linux box that somehow popped up a UI in your X-windows session. Would you be AT ALL surprised if there was a way to exploit that to get root? I thought not.

The proper way would be to have a user program running in X that could communicate with the service.

Stage 4: Executing the code

[i9elcaro]

Please forgive me if the answer is obvious, but how do you attach the debugger to the process, if you do not have admin privileges? I see you can run this on a different system, one on which you do have admin, and the address should be the same. However, if this is not possible/practical, can you accomplish this without admin privileges?

Re:Stage 4: Executing the code

You are correct for the most part. However, you don't need admin permissions, only the permission to attach a debugger to a process.

mouse / keyboard macros/control

[Barbarian]

Back in the days of Windows 3.11, you could record mouse macros and play them back (i.e. to automate stuff). Can this type of stuff still be done today? If so, an exploit doesn't even need a user to open a window for it (like the exploit paper suggested), it can do it itself. Also, perhaps an exploit can sit in the background and just wait for an appropriate window to open.

But you're at the box!

But you are already at the windows machine, logged in! Really if you want to elevate your privileges once logged in simply run at interactively to execute task manager, and from the task manager run anything you like.

How many utilities are there floating around, and have been floating around for years, that let you get access, change passwords, etc as long as you are actually sitting down in front of it.

I'm not saying that this isn't a security issue. I do think that being able to grab a handle to anything and mess around with it is not good at all. It is a poor design. But tell me when you can exploit this remotely.

MS knows how easy it is to get 'root' if you are sitting at the machine that I doubt they'll care about this long winded way until it can be done remotely. As for remotely exploiting this security hole, I doubt it can be done since it relies on messaging.

Re:But you're at the box!

Only admin can run 'at'

Ummm NO

[spacefrog]

How are you arriving at the conclusion that this dialog runs with system priviliges?

IT DOESN'T

The GUI comes from a DLL running inside the process space of MMC.EXE. It uses a fairly secure RPC/IPC mechanism to talk to Windows.

A simple trip through spy++ will even tell you the owner process in about 5 seconds.

Re:Ummm NO

[Amizell]

The GUI comes from a DLL running inside the process space of MMC.EXE. It uses a fairly secure RPC/IPC mechanism to talk to Windows.

Then how come when I stick the sploit code into the edit box and use the debugger to search MMC's memory I don't find "NOOF"? It looks to me like I just stuck it into a dialog owned by Winmgmt.exe which runs as a seperate process from MMC. Unfortunately, Winmgmt is priviliged and the debugger can't attach to the process so I'm back to square one.

alex

Re:Ummm NO

[Amizell]

I meant FOON.

Re:Ummm NO

[Amizell]

Never mind, I'm an idiot. I would mod myself down if I could. Winmgmt is not related to MMC at all. But still, where is FOON if not in MMC's memory?

alex

Couple of points.

[Jade+E.+2]

First, although using cross app messaging to break security is new, the technique has been around for years. I can't count the number of shareware apps that 'limit' the unregistered version by disabling some checkboxes or radio buttons, which you can re-enable with the right messages.

Second, on the finger-pointing issue, yes the specific example he used is McAffee's fault for not seperating the GUI from the service, but as he said, there are several built-in ways to get a LocalSystem window with controls on it without resorting to exploiting 3rd party apps. In other words, if MS is going to point the finger at service developers, they had better include themselves in that category.

Third, a question about how controls respond to windows messages. I've never had cause to send messages directly (except custom messages), but AFAIK it's not a case where you can send a EM_SETLIMIT message to a control and it automatically sets it's limit. The application has to receive the message, interpret it, and set the limit on the control. The problem is that no major vendor I know of, particularly not MS, write straight to the API, they use libraries for their controls. And every control library I've seen defaults to handling EM_SETLIMIT messages by setting the limit on the control. If this works the way I think it does, then by not using libraries with open defaults, or by changing those defaults, you can write an app that only handles messages it expects to receive, hence this problem doesn't happen. (IE, do you know of any app where one thread really needs to change the length limit on a control in another thread? I can't think of any off the bat...) Can anyone confirm or deny this?

Equally feasible: Change history! Here's How!

.

Want to change history? It's easy. Here's how. First, design and build a time machine. Okay, second, get in, pull the lever back until you get to when you want to be. Get out! It's that simple. And this guy wants to take over an edit box. Who are you with? Petty geeks or uber geeks?

.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The Jealous Sinister

So Sorry, The Bungi, that Foon isn't up to par with such dynamic nomenclature as :The Bungi.

Shame on you, poor little critic.

Balzac once remarked, "Noone has ever made a statue of a critic." Said before or after the Rodin, I don't know.

But goddamnit if I don't laugh anytime someone says, "my. . . Balzac!"

Like GTK

[0x0d0a]

GTK+ has the same issue. It was a *huge* deal when people started fighting about this, and eventually the decision was to just not let GTK apps run suid root.

Given the huge outcry about GTK+, I'm impressed that MS has had the same flaw, but for so much longer, with no one talking about it.

Re:Like GTK

[0x0d0a]

Actually, having read the paper in more depth, the exploits aren't exactly the same -- one can send messages to a GTK app to make it do nasty things, but not make it jump to random memory by sending bogus pointers. The end result is the same either way, though.

Re:Like GTK

[dfinster]

Given the huge outcry about GTK+, I'm impressed that MS has had the same flaw, but for so much longer, with no one talking about it.

I knew there was some advantage to closed-source...

what a ridiculous piece of nonsense

This is the worst article I have read from slashdot in a long time.

I have a funny feeling that if I wrote an article about how applications which are setuid on *nix, take user arguments and contain buffer overflows are vulnerable!!! I wouldn't get on the front page of slashdot.

I'm amazed that MS even took the time to reply to this joker - I bet Linus or any other Linux guy would either ignore a similar piece of junk or start a public flame war.

sprintf is the wrong analogy

A better analogy is setuid. It's the exact same problem thousands of apps running setuid root need to be carefully checked to make sure they're not exploitable by the users too.

If this is a security flaw within the Win32api, setuid functionality is an equally problematic security flaw in POSIX.

Re:sprintf is the wrong analogy

[J.+Random+Software]

Only a similar problem. Unless there's something dire about xlib that I've forgotten, POSIX systems don't tend to bundle user interface libraries that accept messages from any user, interpret a field as a function pointer in the server's address space, and immediately call that function whenever the app doesn't specifically overrides that behavior. That's somewhat exploitable even if you don't have a buffer overrun to take advantage of.

DMCA test case, right here

[Sloppy]

It's open season on Foon. Do you have anything copyrighted by you (that limerick that you wrote 10 minutes ago will do), stored on a machine that runs NT? If so, then you can sue Foon for trafficking in a program primarily intended to circumvent a technological measure that effectively controls access to your copyrighted work.

Funny thing Boeing does not seem to know about it

[MOooOD]

Apart from some general fishy facts about this article (how do they build a suitable hangar and keep it hidden, how do they never have a crash with an private airplane which "did not see it" etc), there is the question why Boeing would buy into Cargolifter in order to develop lighter-than-air-vehicles:

http://www.boeing.com/news/releases/2002/q3/nr_0 20 730m.html

They _should_ know what their major competition (Lockheed) is up to already and not invest in inferior foreign technology, right? :-)

If you guys want to know what lighter-than-air-technology means today, check out the Cargolifter web site (www.cargolifter.com) and have your babelfish ready.

Antivirus

Everyone that uses windows should stop running programs that run with higher privileges. That means antivirus programs, . Damned if you do and damned if you don't. bye bye windows :-D

Ironic

[wolf-]

So, I click to read a story about flaws in the Win32 API and what embedded doubleclick ad do I see? One for Visual Studio .NET.

Gah, slashdot is continuing to suck.

Re:Ironic

[Rascalson]

Mozilla 1.0 right click on ad, select block images from this server, and of course always have pop-ups blocked. Life is bliss ;)

Re:Takes 1min for me

Only an admin can run 'at'.

Guest cannot become localsystem with that trick.

Err. . .

[Com2Kid]

On a locked down box, misc apps downloaded from internet cannot be run anyways. . . .

Give users ability to run any app they want, and of course your security is going to be broken through sooner or later,

duh

mod parent and grandparent up!

[benjamindees]

this is hilarious. we should mod them both up so that everyone can witness the brilliance of /.

Re:Takes 1min for me

[Snoopy77]

And how hard is it for a guest to get make themselves administrators?

Step 1. copy musrmgr.exe over the top of logon.scr
Step 2. reboot
Step 3. when the logon screen appears just wait for a while until the screensaver kicks in and poof ... up comes the user manager.
Step 4. Make yourself an administrator

So I should have changed my subject to Takes Imin plus reboot for me.

Damn ... even MS exploits require you to reboot these days!

Feature on all new cars

[Okian+Warrior]

We were designing cars over in Detroit-land, and thought that it'd be a good idea to have a button that the owner could push to dump the oil. This was added as a convenience for those owners who change their own oil (drive over the pan, press the button, add new oil, and voila! you're done).

Of course, the owner's manual states clearly that the button should never be pushed while the vehicle was in motion.

Re:How about Internet applications written with do

By default the .NET CLR does not allow assemblies downloaded from an untrusted source (ie: internet) to have that kind of access to the system.

W2K Service settings

FYI.

On the Log On tab of the service properties there is a checkbox that allows you to disable interaction with the desktop when Local System account is seleted.

NO CARRIER

Windows XP service pack 1 -- no more freebies

i don't know where my head has been, probably in the sand. posting this as an AC because (1) it's sad to admit i'm so behind the news, and (2) well, here it comes.

a friend just told me today about what will happen to my use of the nice "FCKGW-RHQQ2-..." windows XP pro corp. code as soon as i install windows xp service pack 1. boom. no more windows, because naturally they want to stop pirates like me, which they have every right to do.

the problem is, here is what i do with nearly all my spare time. i build low cost machines for people who can't afford them -- i build them with the lowest priced crap i can find on pricewatch, the lowest priced crap i can find used, in salvage, etc, etc. and i put a pirated copy of windows on them. every single one.

and now, every single pirated copy of windows xp i've built into one of these machines will go "boom" unless i tell everyone to not upgrade their software anymore. so basically there will be a bunch of machines with security holes, a ripe field for virus infestation, sitting all over the area.

the other option, buying $200 microsoft licenses for these people, when that is about the cost of the entire PC which i built for them.

yes, it's stealing, and there's no justification. but it is the end of the freebies, now only the rich and the big-time commercial pirates, and the people who can really afford it anyway, will be able to run the software which will be required for just about every other software out there, the software they'll need for school, to play games, etc.

i was just putting the finishing touches on one more $200 PC for a family of foster kids. now i don't know what to do about the XP license.

shame on me for being a pirate, and i don't know how i missed the news about this -- going back and looking i can see it is all over the place. but there will be at least 12 windows xp installs which will be permanently stuck at pre-service pack 1, and i'm sure there are thousands of others.

so virus writers, have a nice field day with all these. pay special attention to future windows security updates, and exploit the hell out of the holes, because just about half the machines won't be getting updates.

-ac

Re:Windows XP service pack 1 -- no more freebies

Why don't you just set them up with Mandrake ?

The kind of customers you have, are equally lost in windows and linux, given they can't read english. Hell, a meskin localization setup and you'll be king 'pooter seller in the bario !

Re:Windows XP service pack 1 -- no more freebies

Why not just set them up with Windows 2000 Professional?

Re:Windows XP service pack 1 -- no more freebies

first, thanks for the response.

seconds -- XP is just tons better in multiuser home environments. for a household of, say, 3 foster kids, they just click on the icon that they've chosen for their name, and up comes their desktop, with their sounds, etc, and when little Jimmy deletes all the files he has permission to delete, little Jenny's Barbie bookmarks are fine.

that, and i just spent about 16 hours putting on a great XP install, with a bunch of educational games, all the updates, etc, etc. going back to Windows 2000 makes me want to shoot myself.

my current solution is to just bring home a new corporate key from work, and hope that key never makes it onto the "pirate" list, and go out to each person who i've set up and update their registry with the new key. just a big hassle, and given that most of these people don't live in great neighborhoods... not a lot of fun.

-ac

Re:Windows XP service pack 1 -- no more freebies

thanks for responding.

mandrake isn't really an option, as most of the educational games i install are win32 only, and i am just not l33t enough to configure wine.

that, and i hate, hate, hate x-windows, and these machines aren't exactly screaming raw power, meaning x is dog-ass slow.

that, and they nearly all use a free dialup service like NetZero, with nary a linux client.

Re:Windows XP service pack 1 -- no more freebies

I'm a big softy for the underprivileged.

Corporate Key 26WCH-B4TXX-VX4PH-6GPTM-DWG8M

Go to http://xpkey.cjb.net/ to learn how to change the key on an existing system.

Re:Windows XP service pack 1 -- no more freebies

[geela]

use Win98, and of course, those security updates don't work very well unless you have a firewall, so why not give them win98 and teach them how to use zonealarm?

p.s. not to sound RMS'sh but showing people how to use linux for basic chores (i.e. show them to that elusive source of aid called man pages) would save them from Palladium in the future

p.s.s. anyone knows if MS can enforce Palladium and DRM on countries not in the US export ban list?

Re:Windows XP service pack 1 -- no more freebies

linux does not work very well for the kids in the ages 1-12 age group. unless there is a catalog of learning software for linux of which i am not aware.

Re:Windows XP service pack 1 -- no more freebies

thank you heaps and bounds.

i only hope that the key you gave me was "truly" valid and not generated :) but it "seems to work" so far.

problem with generated codes, is that, sure, they pass version 1.0 of the algorithm and satisfy f(x), and hell, maybe they pass even version 1.1 of the algorithm, passing also g(x). but unless microsoft is really stupid, there is an h(x) and more than likely more than that.

but we'll see. they've decided to fight us this time, we'll see what happens.

thanks again, i am in your debt. need any c/java/php/sql coding, post a reply, i'll be checking this thread for a while.

-ac

What about this?

[RzUpAnmsCwrds]

Log on as Administrator. Go into "Services". Look through your services, looking at the "log on as" tab of each service. Make sure "Allow service to interact with desktop" is unchecked. Keep in mind that some services require this to have a GUI.

A solution to block badly written services

From the Microsoft Platform SDK:

Interactive Servives

An interactive service is a service that can interact with the input desktop. Other desktops do not receive user input. For more information, see Window Stations and Desktops.

An interactive service must run in the context of the LocalSystem account and be configured to run interactively. Services are configured to run interactively when the dwServiceType parameter in a CreateService call is set to include the SERVICE_INTERACTIVE_PROCESS flag. However, the following registry key contains a value, NoInteractiveServices, that controls the effect of the SERVICE_INTERACTIVE_PROCESS flag:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont ro l\Windows

The NoInteractiveServices value defaults to 0, which means that services marked with the SERVICE_INTERACTIVE_PROCESS flag will be allowed to run interactively. When the NoInteractiveServices value is set to a nonzero value, no service started thereafter, regardless of whether it has been configured with SERVICE_INTERACTIVE_PROCESS, will be allowed to run interactively.

Note It is possible to display a message box from a service, even if it is not running in the LocalSystem account or not configured to run interactively. Simply call the MessageBox function using the MB_SERVICE_NOTIFICATION flag. Do not call MessageBox during service initialization or from the HandlerEx routine, unless you call it from a separate thread, so that you return to the SCM in a timely manner.

It is also possible to interact with the desktop from a non-interactive service by modifying the DACLs on the interface window station and desktop or by impersonating the logged-on user and opening the interactive window station and desktop directly. For more information, see Interacting with the User in a Service.

Built on Wednesday, July 26, 2000

Just spotted on Freshmeat today! 0-day exploit!

[kcurrie]

Well, what do you know, a "0-day exploit" :-) Ok, not really, but could generate some /. hooplah anyway ;-)

http://hoopajoo.net/projects/xautomation.html

xautomation

Control X from the command line for scripts, and do "visual scraping" to find things on the screen. The conrol interface allows mouse movement, clicking, button up/down, key up/down, etc, and uses the XTest extension so you don't have the annoying problems that xse has when apps ignore sent events. The visgrep program find images inside of images and reports the coordinates, allowing progams to find buttons, etc, on the screen to click on. ...what could ANYBODY *ever* do with such a tool!?! ..sarcasm, for those lacking.

Re:Takes 1min for me

[man_ls]

I am definately going to remember this. It might work at a place where there are NT4 terminals that authenticate off a domain, but local administrators have unrestricted access.

Locally, Mac OS X is less secure

[gotr00t]

The author claims that he sent a message to Microsoft, and Microsoft responded that it is not really a threat because, well, it can only be done locally, and I can see that a lot of people who pasted comments stated that it was clearly stupid of them to do such a thing, however, Microsoft, in this case, has a point.

Mac OS X, the operating system that we have all ignored, as a lot of us think that it is secure, is very insecure locally. While booting your Maciontosh computer with OS X installed on it, hold down ApplCtrl (the key with the symbok) + s it would boot in single user mode. And guess what? The system starts out with you as root, without asking for a single password.

Clearly, most local exploits are not extremely devastating to security, and although I agree that this is a very silly system of window management, people shouldn't be so suprised, as if something like this didn't present itself before.

Wrong.

[leerpm]

IIS runs as IUSER_ NOT as the System account, and it has done this for years. The default install of SQL Server 2000 runs as a normal Domain user account NOT LocalSystem.

Re:Wrong.

[Tony-A]

IIS runs as IUSER_ NOT as the System account, and it has done this for years. The default install of SQL Server 2000 runs as a normal Domain user account NOT LocalSystem.
But Code Red and friends still propagate. Seems like Microsoft's idea of security has some problems.

Re:Wrong.

In this case, I'd disagree. First of all, anyone with half-a-brain installing IIS wouldn't have installed the code-red infected component unless they needed it. Second, this brainy type, had they installed the component, would have applied the patch before Code Red became an issue. As was pointed out here just a week or so ago, the patch was out a full month before the exploit. Finally, said brainy admin would've not allowed write access to any web folder, thus eliminating Code Red's ability to place the hack in place.

This exploit is no different. A good admin doesn't give his users the ability to write to any folder except those they absolutely need to. On my user's machines, they can write to the temp folder only on the local machine. They can also write to their own folder on the network, and their department's folders. In these folders, they don't have EXECUTE permissions, so I have been completely unable to duplicate this exploit. Reason? You need a program to do it, and even if a user could get a program on the machine or network, they couldn't run it. I learned ages ago to do this to keep users from installing apps that may not require admin rights to install or use.

Just as with any Unix, MS gives you the tools to lock your machines down. If you don't use them, you get what you're asking for.

What about wine?

I am wondering if this exploit will work with
Wine (as in "Wine Is Not an Emulator")?
If so does it mean wine is a vulnerability in
linux?

Re:9/11 related Easter Egg on orbitz.com

He's talking about how it changes the ticket to have a destination of NY or Washington. I couldn't make it do middle of butt fuck Pennsylvania.

I'll throw my hat in too I guess...

[Mongoose]

Windows NT/2000/XP all have problems with applications running at 'System' or another level below 'Administrator' ( root ).

For example:

1. Setup a win2k box with a user, and make it so that this user can only run the app MS Word using your little GUI profile editor.

No write access to drives, no shell, etc.

2. Log in as that user.

3. Now run MS Word and...

Press Alt+F11
Press F5
Enter "wolf" as the procedure name
Enter "Shell "cmd.exe", vb.normalfocusfoo"
Press F5

Now using commands like 'control userpasswords' you can fuck up your nice little system.

Also using command.com ( 'NT DOS' ) with your macros you can get beyond kernel rescrictions, which is like the ntsd kernel debugger bug a while back that the patch didn't fix.

Basicly you can still 'own' a network with your garden varity macro virus still.

Hell, I consider it a feature -- you forget your admin password or want to install something by sending a 'macro agent' around the network.

Also don't forget XML+IE+Outlook, DDE, and OLE holes. Btw I never report these exploits I find... I guess BugTraq hates me.

--

Yes, this is why you have to reimage windows so often besides dll hell...

This is very serious

[Eric+Damron]

Especially when one considers the fact that a large percentage of network attacks come from disgruntled employees.

So keep your employees happy or don't run Windows!

This is the Win32 version of SUID vulerability

[cookd]

C'mon, people! This is nothing new. We all should know by now that writing priviledged applications is way different from writing normal user-mode apps. In this case, we have an example of how a poorly written priviledged app that interfaces with a local user might give the local user a chance to escalate priviledges. How is this different from the fact that a poorly written SUID app gives the user a chance to escalate?

Knowing what this guy brought up in his paper, it seems a lot more obvious why you are NOT SUPPOSED TO INTERACT WITH THE DESKTOP AS "SYSTEM" if you are running as a service. This has been common knowledge among Win32 programmers for a LONG time.

The UNIX model has some exploits to which Windows is immune, due to structural/design differences. And the reverse is just as true. If you don't understand the security practices required on your platform of choice, you shouldn't be programming apps on systems that need to be secure.

Using Perl...

You can automate the whole sequence in Perl :
1. Search for windows, paste data : use Win32::SetupSup module - http://jenda.krynicky.cz/perl/
2. Inject code, attach to process for debugging : use wdeb module - http://www.wolf.vigelin.de/mathe/ntcont.html
3. Shatter windows : That is your part ! Happy hacking !
At least we use it for bad behaving install programs under Windows...

Whee.

if(strlen(funhappytext) > 119) funhappytext[119] = '\0';
sprintf(woot, "%s", funhappytext);

Forcing sprintf out of C would be, quite frankly, so fscking stupid that I'd find and open up several cans of whoop ass on the persons responsible.

Adding new functions would be great. Point out in the manpage that it isn't ANSI compliant, and boom. Why should we delay progress because some standards commitee wishes to?

Carpe diem and so forth.

HAHAHAhahaha...

"I think GNU can pull this off"

HAHAHAhahaha... that's so funny I wet my pants.
GLIBC have had more exploits than anything I can possibly recall, GNU delusions - programming by idiots.

man

man this dude must feel so stupid right now after making a big fool of himself in front of 250,000 people, haha...

what about other platforms?

[valmont]

i would like to get a bird's eye view understanding of what other platforms are doing different to avert similar issues? is OS X more or less immune to that? what about linux/X11? *BSD?

I'm thinking that unix was designed from the ground-up to be a multi-user environment, so for example students could compile their C apps for their CS101 class assignments on their own little shell account, while not being readily able to wreak havoc on the system ...

When microsoft states "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore", this means to me:

• windows is *by design* not a secure multi-user environment. Which is fine by me as long as they don't advertise it to be.
• the definition of "bad guy" seems fairly blurry to me, in light of the popularity of peer-to-peer applications which I'm sure would *love* to exploit such holes

are there still easy/obvious ways to root a unix/linux/bsd shell from compiling and running a piece of C code? aside from attempting to kill the CPU, infinite loops, and/or render the machine useless?

Re:This is the absolute stupidest thing Ive ever h

[hyperturbopete]

Yes this problem can be fixed by MS using the 2nd option indicated in the paper and yes it would mean these crappy designed apps written by third parties would have to be rewritten.

I.e., something that will not happen. possibly, one might deal with the problem by running the broken apps on a chroot/sandbox "virtual desktop"... i.e., externally impose seperate-priviledges-for-backend-vs-gui.

Then again, the types of bug described in the paper isnt nearly as bad as, say, default Outlook Express :-)

Yeah really

[Otis_INF]

A service with no gui can't be exploited by this 'get handle for window and exploit it'-hack, stated in the article.

MS doesn't release services with a gui. Never. All services in windows coming from MS are gui-less, i.e.: the process ITSELF isn't opening a gui. Therefor the user has to open an application, thus it runs under the user's SID, to communicate with the service, via a process-communication scheme.

Having access to the machine kills security anyway

[streak]

Since this requires access to the machine (sitting at the console) its not that surprising.

I mean you can get root on a linux box if you are sitting at the console and they are running lilo...
1) Reboot
2) at lilo prompt: [name of kernel] init=/bin/sh

Linux boots, and drops you to a root prompt. Remount the drive as read/write and away you go!

Won't this work *without* a GUI?

Won't this faked-callback technique work with any application that has a message queue, not just those that actually display a GUI?

Granted in this case you'd have to find another way to get your shellcode into the priveliged process' address space, but that's not too hard. eg using McAfee you could append it to a virus-infected file, then do a scan and send your WM_TIMER when the 'infected file' dialog box is showing.

Or perhaps I'm talking crap.

Microsoft Standard Post 3.1

You fool, haven'ty you learned anything from them? Start at version number 3, and not .0 becauase people avoid those.
Heres Microsoft Standard Post 2002.

that just delay.

[leuk_he]

It seems this exploit allows local users

You can still type malicious code with a pencil. Better is to solve the "local" problem: Send the use to the north pole.

Why the hassle with the EDIT field?

[kris]

Why the hassle with the editfield? As far as I can see, code is being executed with the address space of the security relevant process by receiving WM_TIMER or any other message that accepts callback addresses.

So any method to inject code into the target address space is okay, even writing the exploit into configuration files, registry keys, or sending it in network packages so that it ends up in any input buffer. Just send the WM_TIMER to activate it.

Pot, meet kettle

[sql*kitten]

You know, I remember when you could do all sorts of fun stuff with X11. For example, you could layer a transparent window on top of a display, that passed keypresses and mouse events to the window beneath it - and capture everything the user did. You see, most people used xhost for security - which meant that you gave control of your display to anyone who had access to the machine your X client application was running on.

Due to this, we now have xauth and MIT Magic Cookie. Anyone who says a security hole "can't" be fixed is naive - even if the fix is a kludge. MIT Magic Cookie is easily snoopable, so that's another security problem. The X11 protocol itself is easily intercepted, so we have to tunnel over SSH.

I could go on, but I've made my point. Linux users who take it on faith that they are secure are sadly misguided - as are those who believe that Windows is inherently less secure. Ultimately, it comes down to the skill of the sysadmin to secure any OS.

Re:Pot, meet kettle

[gorf]

Maybe I'm missing something.

How long have MIT-MAGIC-COOKIES been around? People care about what security is about now, not however many years ago. That's why networks are sniffable; people considered the issues and decided it wasn't worth the effort at that time. Now that it is worth the effort, we have IPsec (and VPNs) and ssh.

As for xhost authentication, that was by design. The people who designed it knew perfectly well what it didn't do. And X11 being intercepted? All along it is generally accepted that the network is sniffable unless you take additional measures. And that is by design, and that is the purpose of ssh (which admittedly came along later when security became more of an issue).

I don't know how true this Windows bug is, but this issue certainly isn't there by design.

Ultimately, it comes down to the skill of the sysadmin to secure any OS.

I secure myself from X issues by using X tunnelling. How do you secure yourself from this problem then?

Re:Pot, meet kettle

Not just "pot, meet kettle".

The warning comes from a 23 year old "genius" who describes himself as knowing a couple hundred languages on x different platforms and capable of learning any new language in 3 days, but who doesn't know that this "issue" has been known for years, and isn't a security flaw in windows, but in the application software (in this case, viruscan).

The same flaw (letting a process that runs at system level interact directly with the desktop, against warnings in MS docs never to do that), also exists in HP printer drivers (to name just an example), and is a thousand times more easily exploitable there -- all you need is physical access to the machine.

I'm including a description below. This made me raging mad at HP a few years ago and is the reason why I'm forbidding the use of HP printers anywhere in the company.
After being sent from phone to phone when I reported it, when I finally reached someone who understood what I was talking about after having talked to support people in 3 different countries, it appeared that (a) HP was aware of the issue and (b) they found fixing it to be too much of a hassle, since there was an easy workaround: disable bidirectional support on the parallel port, so the driver can't detect printer errors.
That guy actually made it sound as if I was stupid for not having thought of that "fix" myself.

I ran into the problem on a system where my own app was running as shell, but below is an easier way to reproduce it.

It worked (works?) under NT4, but I wouldn't be surprised at all if it's still the same in XP:

- You need a PC with a HP printer attached, with the drivers installed from HP's CD (not the drivers that came from MS on the windows CD, those are safe). It was confirmed to work with deskjets in the 600 and 800 series.
- Open notepad. Type in some random characters.
- Click Start/Shutdown, and hold down ctrl+shift+alt while clicking "Cancel": this closes the shell, while notepad keeps running (a less known, yet documented trick to close explorer.exe as the shell while remaining logged on).
- Remove all paper from the printer, then print the document from notepad.
- A tabbed dialog will pop up with a message about the printer being out of paper, and diagnostic and help tabs. That dialog also gives access to the help file that came with the driver, from there you can go to the printing problem solver, and there you can open the printers control panel.
- Do that. The printers control panel will be opened in explorer, but because explorer.exe is also the shell and no other instance is running, it will start as the shell instead and your desktop and taskbar will reappear.

Congratulations. You are now logged in with system privileges, because the HP driver displays the error message under the system account, the help file inherits the privilege, and so does explorer in its turn.

Re:Pot, meet kettle

[sql*kitten]

secure myself from X issues by using X tunnelling. How do you secure yourself from this problem then?

I use Sun DES.

Re:Pot, meet kettle

[gorf]

Sorry, I meant the Windows security problem this article is about by this. I was wondering how you protect yourself from it since according to you a competent sysadmin can do so.

Re:Pot, meet kettle

[Bun]

Someone should really mod the parent up.

Re:Pot, meet kettle

[sql*kitten]

Sorry, I meant the Windows security problem this article is about by this. I was wondering how you protect yourself from it since according to you a competent sysadmin can do so.

Is this a Windows security problem? Any application on any OS that runs as a privileged user and displays an interactive window on the desktop of an unprivileged user would be vulnerable to this class of attack.

So - and this is basic good practice, since *any* machine that a user has physical access to can be compromised - store all your valuable data on a system under ACLs which cannot be accessed by any authenticated user who is not in the right groups, let alone non-Domain users. If a user gets Administrator on their local machine, the most they can do is mess up that machine. And keep your servers in a secure data center. You need to do this on Sun networks just as much as you need to on Windows - the client device is *never* to be trusted.

Re:Pot, meet kettle

[Hassan79]

Is this a Windows security problem? Any application on any OS that runs as a privileged user and displays an interactive window on the desktop of an unprivileged user would be vulnerable to this class of attack.

No. The OS must have a message passing system that makes it possible for an unprivileged application to send a message to a privileged application, together with a pointer to a function that will be executed with the privileges of the privileged application.

Re:Pot, meet kettle

[gorf]

Desktop access != Physical access (ever heard of Windows Terminal Services?)

Your solution isn't really the answer. You're doing something that shouldn't be necessary. Everyone generally accepts that local unprivileged user->any more privileged user is a bug (and yes, I'm not trying to prove that it is an MS bug, but it's still a bug).

What about where multiple people who need to keep seperate use the same machine via Terminal Services? What are you saying, buy a machine for each? Doesn't that defeat the point (of course, then you don't run anything that runs as LocalSystem on their desktops)? If that is what is required then what exactly are Microsoft selling?

Re:Pot, meet kettle

But remember, Microsoft provides the way out from dependence on expensive skilled system administrators.

Way around the standard?

[Jeppe+Salvesen]

What if the gcc/libc people made sure that the compiler issued big, loud warnings whenever sprintf() and other vulnerable functions were used/compiled? Would that explicitly break the standard?

The man page needs updating too, there is a mention of the overflow potential in the "bugs" section, but it's not explicit enough (IMHO).

Shoddy work, mistake in the whitepaper!

[dannannan]

This white paper makes several allegations, not the least among which is that there is no way for a user-mode app to mitigate the security risk it presents. This is untrue, however, and appears to be the result of a failure to investigate properly on the part of the author! User mode applications can be rewritten to guard themselves against malicious Win32 message-based attacks. That's because every user-mode app has full say in how every message is handled, contrary to the white paper.

From the paper: "As far as I know, the message [WM_TIMER] doesn't even go into the message queue, so the application doesn't even have a chance to ignore it."

The previous post follows the theme with: "It's like opening a socket for doing basic network communication and Windows API allowing certain pre-determined 'helper' messages to be handled by OS before your app has any say to handling."

Dave at Microsoft did a thorough investigation with the developers who were familiar with the relevant code and replied to the author before he released his white paper (8/5/2002): "It is the implementer of a program that decides what messages to handle and how to handle them."

The author could possibly have arrived at his erroneous conclusion by writing a test app and monitoring calls to a message handling routine when certain types of messages were sent to the app. Observing that a WM_TIMER message sent to the app was processed without the application-supplied message handler being invoked, one might conclude that it is therefore impossible for an application to guard against WM_TIMER-triggered attacks. This test is flawed.

The standard message dispatching pattern you'll find in common Win32 programming books (e.g. "Teach Yourself Windows 95 Programming in 21 Days" by Charles Calvert) and even in sample code from Microsoft goes like so:

1. Wait for a message to arrive in the queue (GetMessage)
2. Optional logic to crack certain types of messages for easier handling later (e.g. TranslateMessage)
3. Dispatch the message for handling by an application-specified handler routine (DispatchMessage).
4. Repeat until a special message arrives that breaks the loop.

No message is processed until the application calls DispatchMessage. DispatchMessage contains special-case logic which handles WM_TIMER and WM_SYSTIMER events *without* invoking the application-supplied message handler, which is why tests similar to the case I mentioned above don't show a call to the message handler for WM_TIMER messages. However, the message will only be processed if the app calls DispatchMessage.

Applications can guard themselves by inserting a (possibly non-trivial) step 2.5 into the pattern above: security filtering of messages prior to dispatch.

So, the basic Win32 thread messaging API calling patterns are flawed when used in situations where applications with different privilege levels coexist on the same desktop. Dave already pointed this out in his email response to the white paper author on 8/5/2002. Message filtering needs to be added to those specific applications in those cases if there is to be any measure of security.

Also, the most privileged service applications (those that run as LocalSystem) can't create windows on the interactive desktop by default, which means that they aren't vulnerable unless someone checks a box that says that they should be! That feature must specifically be enabled (see the "Allow service to interact with desktop" checkbox in the Services UI). Services that run in security contexts other than LocalSystem don't even support the "interact with desktop" functionality.

The conclusion of the whitepaper -- that there is no way to write a service to be secure -- was not proven. The author should have done a better job of investigating his claims before publishing this paper.

This really boils down to a case of poorly written services exposing more "services" to users than they intended to. Several good posts on this /. topic echo that too. At least we've raised awareness.

D

Re:Shoddy work, mistake in the whitepaper!

[Old+Wolf]

High-level IDEs (eg Visual C++, Visual Basic, C++Builder etc.) automatically provide message queue processing for each control. Even with the message you are suggesting, one would have to filter the calls to DispatchMethod. To secure an application against this attack would be a monumental piece of work -- to write your own message handler for every control, and filter out all possible harmful messages (or alternatively, filter in exactly the messages you want). And then for the dangerous messages (WM_TIMER etc). you have to figure out whether it was a real timer in your application, or a spoofed timer message.

I'd hate to see the source code of a program like this.

Re:Shoddy work, mistake in the whitepaper!

[dannannan]

Yes, it would be a daunting task, and you'd never find all the bugs.

But the only people who need to worry about this are the people who are going against Microsoft's recommendations by writing service code registered to run as LocalSystem who either (A) have desktop interaction enabled or (B) are writing code to change window station ACLs or are making calls to SetProcessWindowStation/SetThreadDesktop to allow for this interaction.

There's no possibility for elevation of privilege via this exploit otherwise.

D

Hijack!

Destroy-Windows-NOW!!!

WARNING Virus in article download!!!!!!!

[Ignavus+Anonymous]

Watch out when downloading the 'shatter' application!!!!!!! It contains a virus!

This is not a troll. Check it yourself: This an infected file

Norton reports:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Beavuh
File: H:\Documents and Settings\Username\Desktop\shatter\sploit.bin
Loca tion: Quarantine
Computer: MACH5
User: Username
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Aug 07 13:26:14 2002

Re:WARNING Virus in article download!!!!!!!

I don't think it's a virus *per se*. It's just shellcode
which your anti-virus software probably matches to the
signature of a known virus.

Re:WARNING Virus in article download!!!!!!!

[jeremyp]

So your AV is doing its job properly. It doesn't know that you actually *want* that exploit.

Re:WARNING Virus in article download!!!!!!!

[grub]

bzztt.. sorry Buckwheat, Kaspersky AV doesn't detect a virus. Likely Norton sees Evil 3l337 sh3ll c0d3 and gives you a false positive.

Re:WARNING Virus in article download!!!!!!!

[japhmi]

The web site says:

PLEASE NOTE: Some virus scanners are alerting people to the presence of a "Win32/Beavuh" virus within the sploit.bin file in the Shatter zipfile. This is not a virus. The scanner is correct in flagging it - the code in this file is designed to open a command shell and bind it to a network socket. This is a bad thing to do in general, so the scanner is correct in generating an alert. This code is designed to be malicious in terms of its functionality, but the scanner is incorrect when labelling it as a virus.

So, it looks to the virus scanner to be a trojan horse, and the antivirus is smart to see it -- but in this case you want it.

Re:WARNING Virus in article download!!!!!!!

[Disabuser]

Caps in subject: check
Abuse of exclamation points: check
Claim of authenticity: check
Misinformation: check

A nice effort, but I have to deduct points for the omission of "Forward this to everyone in your address book!!!!".

Re:WARNING Virus in article download!!!!!!!

[planckscale]

Thank you I am grateful for your keen eye.

So just use Windows2000 instead of XP

who in the world thought XP was secure?!

Wrong (Re:Fixability)

[Kruemelmo]

The win32 reference states that the "WH_GETMESSAGE hook enables an application to monitor messages about to be returned by the GetMessage or PeekMessage function. You can use the WH_GETMESSAGE hook to monitor mouse and keyboard input and other messages posted to the message queue."

Read the reference... SendMessage does not place messages into the thread's message queue. They are not being posted. They are also not being picked up by GetMessage or PeekMessage; instead, the window procedure is called directly.

Re:Fundamental flaws???

The beauty of slashdot is that anyone with an opinion counter to the "Linux Rules" mindeset is listed as -1. Unfortunately you can't mod down reality. I'm sure someone could break into your house and do some serious damadge, but if this happened would you say that the maker of your house did a crappy job because you didn't have security?

While there needs to be security, there also needs to be usability. Microsoft has admitted they need to secure Windows and are working on it. Linux is an ancient, outdated piece of crap. What are you guys doing about it? Where's multi-threading in Linux? Oh, that's right. If Linux doesn't have something then it's not needed. How long did it take to get a reliable file system that doesn't cause you to loose your whole hard drive if you have a power outage?

Right now Linux is a confused mess of new and old technologies trying to build on top of an outdated foundation that, while it works, doesn't reach the ultimate goal of making computers easier for people to use. And maybe that's the issue. Maybe noone here WANTS computer to be easier because then you couldn't feel superior to the rest of the world.

-Reality

Re:Why are people pretending this is not a problem

[Old+Wolf]

Windows regularly process thousands of messages per second. Checking each one for security credentials would slow down everything. I would even go so far as to say that on older hardware, when Windows 3.1 was being developed, it would have made the system completely unusable.

Re:Why are people pretending this is not a problem

[tlambert]

Windows 3.1 dosn' have memory protection, so messages are the least of my worries. I can just rewrite code pages willy-nilly, instead of having to be clever and use messages.

We ware talking about fixing Windows as it exists today, and as it is being claimed to be "unfixable".

Unix checks credentials *all over the place*, any time you make a call into the OS.

In Windows, the only place you'd need to check is in the message sending functions, in KERNEL32.

One of those credentials, the sender's is going to be cached, and the receivers is going to be available with an add and a register dereference, since you have to have the queue available to enqueue it anyway.

Also, don't forget that the vast majority of these messages come from the UI, which is connected to a human being, whih is significantly limited in it's ability to generate messages as fast as Windows can sink them.

The major issue would be Winsock's hidden window for asyn WSOCK32 API implmentation. That's not an issue on any version of Windows that uses the BSD stack, rather than implementing it in user space (quick rule of thumb: if you can register a File I/O completion event, then your socket is a file descriptor, and your TCP/IP is implemented in the kernel, rather than in user space).

In other words, it's not a problem.

-- Terry

Easy Fix

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Windows\NoInteractiveServices = true

done and done.

Only affects security where it doesn't matter

[Joe5678]

The only situation where this will really affect security is the home user. Any situation where this could affect a corporate network.... well... they deserve it then.

The only thing this exploit will allow you to do is root the machine. Big deal, this gives you access to files on that machine, but you already had access to that machine, and in a Domain, local admin access doesn't get you squat. Only situation where it really matters is if the domain admin runs it on a domain controller, at which point he deserves what he gets.

Princess Bride

[MacGod]

Microsoft: "Security"

Everyone else "You keep using that word. I do not think it means what you think it means."

um.....duh??

you didnt read the friggen article did you buckweat?

WM_TIMER

[LemonYellow]

It's even easier to fix than that. Only the OS is meant to write WM_TIMER messages to the queue, so Post/SendMessage could filter out any attempts to post WM_TIMER. Simple.

Re:WM_TIMER

[Wumpus]

Not really - in some cases (subclassed windows, for example), a control's window procedure might want to trap a message, and then re send it.

Re:Having access to the machine kills security any

[demon]

Only if you didn't secure your bootloader like a good little boy/girl. There are measures that can be taken. (Admittedly, none are foolproof.)

It is removable from Windows NT

[burgburgburg]

It gives you warnings, but it is removable.

Re:Don't Do That - my uni is telling me to do this

im doing a c++ unit at charles sturt uni (www.csu.edu.au) not prestigious by any standard.

we get told, and a subject readings say to use strcpy() and strcat()

what should i be using to copy and join strings?

Yeah, but they don't have any windows

[Mr+44]

Being marked interactive is OK as long as they don't create windows (which they don't).

Piss-poor analogy

Simply logging onto the box and running XWindows doesn't allow you to root the box.

Running Win32 does.

HUGE difference.

Re:Piss-poor analogy

Please learn to read before you try to write.

Logging on to win32 does not allow you tyo root the box, you need to install and run a badly written app first.

It is perfectly possible under *n*x to write and install a program that gives any user root privileges.
Does that mean that *n*x security is broken?

Re:Don't Do That - my uni is telling me to do this

[cpeterso]

use strncpy() and strncat(). This functions let you specify that byte length of the destination buffer, so the function does not write past the end.

WARNING! strncpy() and strncat() are still dangerous. If the destination buffer is too small, the string in the destination buffer will NOT be null-terminated! So every time you call strncpy(), strncat(), or snprintf(), you should manually null-terminate the destination buffer just in case. For example:


char destBuffer[20];
strncpy(destBuffer, srcBuffer, 20);
destBuffer[19] = '\0'; // null-terminate the string just in case!!

Don't Get It !!!

How entering data in Entry Field can corrupt executable code ??? Entering data in Entry Field should at maximum corrupt the same Data Segment. NOT the Code segment. What has Microsfot done with protected mode programming ? Fix this and bye bye - Nimds, CodeRed, EntryField exploits.

Explanation of 14 platforms

[allanj]

The 14 platforms would be: ZX81, BBC B (huh?), Windows 3.1, Windows for Workgroups, Windows 95, Windows 98, Windows ME, Windows NT 3.51, Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition and Windows XP Pro Edition. And that's not even counting service packs!

Never worked on a multiuser, secure system?

Have you?