Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shattering Windows

Posted by timothy on from the fundamentalism dept.

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

13 of 772 comments (clear)

  1. Ummm... 'Kay by handorf · · Score: 4, Insightful

    So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.

    If you can get the user to run arbitrary code, they're already dead.

    Not to say that windows is secure, but this seems to be picking nits to me.

    --
    -- IANAEG - I am not an elder god.
  2. Re:Take control? by Moridineas · · Score: 4, Insightful

    Why on earth is it crashing? Check your event logs. That should NOT be happening--sounds for sure like a hardware failure.

    Here's the output from the "systeminfo" command on my work computer fyi:

    Original Install Date: 3/15/2002, 11:24:37 AM
    System Up Time: 60 Days, 6 Hours, 36 Minutes, 21 Seconds

  3. Re:Is this really a security risk? by topham · · Score: 5, Insightful

    A user opens a damn attachment, which you've told them not to do a hundred times, but one of them does it anyway...

    No problem right, the attachment runs as that user and the damage is restricted? Only it isn't, because the attachment escalates itself to localsystem privledge and now starts really screwing around.

    With any luck it drops itself on the network somewhere and some other soul mistakenly runs it and it gets domain privledges...

  4. Re:Fixability by erasmus_ · · Score: 4, Insightful

    Finally, a constructive response to the problem. However, since you still don't have the capability of seeing what the source of the message is, I don't see how you can drop all of those messages with 100% certainty. Those API calls are there and are used legitimately as well, for better or for worse. So although your way coulf fix things, I wouldn't be surprised to see it breaking some applications along with it.

    --
    Please subscribe to see the more insightful version of th
  5. Yes, but who's fault is it? Not MS'! by Otis_INF · · Score: 4, Insightful

    When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

    Now, under win32, the application you start, runs under the user you log in with. The virusscanner window in the example, SHOULD run under the user that is logged in, but instead, it's a GUI created from the service, running under 'System'.

    Bad programming. Not from Microsoft, but from the Virusscanner developer. They should have created, AS stated by MS, a GUI less service (the virusscanner engine) and a GUI application which talks to that service via a named pipe or any other process communication mechanism. That GUI should then be started by the logged in user (since that user sees the gui and works with it), so there wouldn't have been ANY flaw like this, since the GUI isn't ran under 'System', but under the user who's logged in, in the example the 'guest' account.

    It sounds serious, it's absolutely nothing.

    Oh, and it takes a local user to exploit it. Get a huge hammer and give it to the local user. Ask that user to smash the computer. There ya go, a DoD attack which isn't fixable, you can get that attack-script at any hardwarestore.

    --
    Never underestimate the relief of true separation of Religion and State.
  6. Re:Don't Do That by Rick+the+Red · · Score: 4, Insightful
    Exactly! You could write a similarly flawed Linux application that someone could exploit to gain root access.

    Some Windows apps are not secure. News at /.

    --
    If all this should have a reason, we would be the last to know.
  7. Re:Take control? by MORTAR_COMBAT! · · Score: 5, Insightful

    completely agree. nearly ever XP and 2K blue screen i had was due to:

    1) faulty hardware, e.g., bad memory chip
    2) incredibly bad driver (which admittedly shouldn't crash the OS... but that's another discussion)
    3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

    --
    MORTAR COMBAT!
  8. Re:Don't Do That by cpeterso · · Score: 4, Insightful


    sprintf() is defined in C89. Good luck getting rid of it.
    Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

    If glibc does not want to break source compatibility so drastically, they could move the dangerous functions to a new header such as "bufferoverflow.h". Or require the user program to #define GNU_BUFFER_OVERFLOWS_PLEASE before including stdio.h.

    Sure this makes porting to GNU slightly more difficult, but I think GNU can pull this off because they have enough clout with developers and no profit motive to worry about!

    --
    cpeterso
  9. Re:Virus in his code by kawika · · Score: 5, Insightful

    Duh! The exploit is *intended* to be malicious code that causes a buffer overrun in an application and could be used to break into a system. That's the point!

    Hint to moderators: Try "Funny" next time.

  10. Re:Don't Do That by pclminion · · Score: 5, Insightful
    Why can't glibc help make the world a better place by dropping dangerous functions, such as gets()

    Because that's ANSI/POSIX standard.

    sprintf()

    Because that's ANSI/ISO/C99 standard.

    strcpy()

    Because that's POSIX/ISO standard.

    strcat()

    Because that's POSIX/ISO standard.

    Are you done ripping on GNU now?

  11. This is the absolute stupidest thing Ive ever hear by gamorck · · Score: 4, Insightful

    Look... I'm in no hurry to defend Microsoft but being as I develop for their OS on a daily basis - its common knowledge (or should be) that anybody who runs a service under system privileges that presents a GUI to any old user - is a fucktard that simply needs to die. Yes this problem can be fixed by MS using the 2nd option indicated in the paper and yes it would mean these crappy designed apps written by third parties would have to be rewritten.

    Microsoft specifically reccommends that you do not run services and allow them to interact with the local desktop. Doing so is security suicide. Thats how VirusScan was running. Therefore its a McAfee issue since there are about a bazillion better ways to write this app.

    J

    --
    I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
  12. Re:Evolving Concepts at Microsoft are Frightening by rseuhs · · Score: 4, Insightful
    Actually, the most important part of Microsoft-trustworthy computing is:

    "We don't trust you."

  13. Ummm NO by spacefrog · · Score: 4, Insightful

    How are you arriving at the conclusion that this dialog runs with system priviliges?

    IT DOESN'T

    The GUI comes from a DLL running inside the process space of MMC.EXE. It uses a fairly secure RPC/IPC mechanism to talk to Windows.

    A simple trip through spy++ will even tell you the owner process in about 5 seconds.