Shattering Windows

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

Someone discovered Windows is insecure.

[SpanishInquisition]

Film at 11

Re:Someone discovered Windows is insecure.

[DickBreath]

>>Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
>So, unless I run Linux or BSD or some other OS, "Uncle Bill" owns my computer!

Soon you won't be able to run Linux or BSD. Since the bad guy seems to be having less and less success "persuading" people to run his evil program, he has to find other means to make your computer into his computer. Best way to do this: subvert the hardware. (i.e. Palladium)

Re:Someone discovered Windows is insecure.

[DickBreath]

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

Isn't this referred to as Windows Update? (You know, where a bug fix or security patch is used as a weapon or extortion to coerce you into giving unsupervised remote root access to your comptuer in the future, permission to disable other software, etc.)

When I was in school, (a long time ago in a galaxy far far away..., when I saw Star Wars 37 times my first semester, and we're talking first release) there was a policy about computer abuse. One of the things I recall it mentioning was that unsupervised remote private access to a computer tends to invite a certian level of abuse.

Isn't this in the EULA anyway?

[Dynamoo]

"Essentially, they allow you to take control of any window on your desktop".. sounds like it's straight out of Microsoft's new EULAs.

Re:Isn't this in the EULA anyway?

[MaggieL]

And note the observation in the reply from MSFT:

"In our essay,the "Ten Immutable Laws of Security", these are Law #1-- 'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore'".

Of course, MSFT isn't a "bad guy"...oh, wait... they were convicted, weren't they?

I guess if you apply XP SP1 it's not your computer anymore...

Ummm... 'Kay

[handorf]

So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.

If you can get the user to run arbitrary code, they're already dead.

Not to say that windows is secure, but this seems to be picking nits to me.

Re:Ummm... 'Kay

[ptomblin]

You misunderstand. He's talking about NT/2000/XP, where you have privilege and non-privilege accounts, and where even as a non-privilege account, you can have stuff running as the Windows equivalent of "root", and you can use any window that "setuid root" application pops up to root the box yourself.

The example he gave is the anti-virus program that runs with administrator privs (because it has to do stuff to the registry), when you're logged in as Joe User without admin privs. The anti-virus program pops up a window, and bam, you've hijacked the window, given yourself admin privs, made a new administrator login for yourself, and you're away to the races.

Re:Ummm... 'Kay

[handorf]

Right... a non-priveleged user has access to a window running a more-priveleged account.

But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.

If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.

Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.

Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.

Re:Ummm... 'Kay

[MisterBlister]

Yeah but in any case, software companies could work around this without breaking the Win32 API just by seperating out the parts of the code that need special privledges from the user interface code and use a secure message passing system (not based on standard windows message passing) between the two.

Of course, the fact that apps aren't doing this goes to show that at the very least Microsoft has some education to do when it comes to developing secure 3rd party apps, but its not nearly as earth-shatteringly broken with no hope of being fixed as the paper author lets on.

Re:Ummm... 'Kay

"If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component."

You don't understand. The example antivirus program would be running, even if the user component was off. if its running, it can receive messages. if it can recive messages, it can be 'rooted' by the user.

Re:Ummm... 'Kay

I think you're missing the point....(either that or I missed your point).

These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account.

and

Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that's a problem. Oh, and it doesn't require console access either - I've successfully executed these attacks against a Terminal Server a hundred miles away.

Re:Ummm... 'Kay

[handorf]

It can only receive messages if there is a window associated with it. (Which may be hidden)

As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no. (Not to say they don't exist, but they shouldn't).

No OS design will keep a developer from creating an insecure app when their app runs as administrator.

Re:Ummm... 'Kay

[handorf]

If you give the user access to a privledged UI, you trust them. (If you don't and you accidentally give them access to that UI, you shouldn't be admining or you shouldn't be using that program)

If you trust a user, they should have good habits.

Combine these two and you're back to just badly written applications are insecure, which is true everywhere.

Re:Ummm... 'Kay

[belroth]

If you give a guest user access to ANY program which runs as administrator (e.g. an antivirus UI) I have to say you deserve what you get.

This translates to "If you run windows you deserve what you get". If you run windows all users have access to priviledged programs....

Re:Ummm... 'Kay

[handorf]

Huh?

If you run windows all users have access to priviledged programs....

What do you mean by that?

Re:Ummm... 'Kay

[Wumpus]

Actually, with careful timing, you might be able to pull this attack off on an app that doesn't have ANY windows. If the application in question makes use of the WM_COPYDATA message, this might prove to be trivial. Even if it isn't, you can still map arbitrary data into an application's memory space using WM_COPYDATA.

Here's the WM_COPYDATA documentation. Read it and tremble in fear.

Re:Ummm... 'Kay

[handorf]

I'm curious what you're suggesting with the timing issue.

As far as the WM_COPYDATA... well, yes. Programmers using WM_COPYDATA should ALWAYS be damned sure they know what they're getting when they get that message. And after they've checked that it's not dangerous, they should check again. And then they should probably go find another way to implement the desired funcitonallity. WM_COPYDATA has always been a terrible hack, as I recall.

Re:Ummm... 'Kay

[Doomdark]

As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no.

Maybe so, but there's more Windows messaging system does (by allowing nifty shortcuts) than what typical suid app would. Read the article for god's sake.

Basically, it has similarities with Outlooks "execute anything on sight when user does something". Messaging system allows code to be executed without app having any way to intercept those calls. And those calls come from lower privileged level.

In this particular case it seems perfectly reasonable for the privileged app to expect that GUI components in question just do their UI stuff, instead of providing an instant code execution path. It is once again that Windows really makes thing easier... similar vulnerabilities potentially affect all/most message based GUIs / OSes, but not as easily as with Windows.

Re:Ummm... 'Kay

[Wumpus]

You missed the point, I'm afraid. Once the data has been copied into the exploited app's address space, nothing the developer does can secure it 100%. The described exploits relies on two properties of the Win32 API:

1) It lets you copy arbitrary data into another process.
2) It lets you force another process to jump to an arbitrary address by faking a WM_TIME message. It's actually the default window procedure that does this.

So, in theory, there should be a certain class of applications that would allow you to inject an exploit into their address space, using WM_COPYDATA, and then jump to that data (from another thread, possibly, introducing the delicate timing issues), and executing it. Note that this can be done before the application code gets a chance to look at the WM_COPYDATA message.

Upon closer reading of the WM_TIMER message documentation, several things come to mind that could make this attack less problematic. The OS could filter all WM_TIMER messages, and discard the ones whose LParam doesn't contain an address that was previously registered as a timer callback.

Re:Ummm... 'Kay

[davebooth]

The point remains that it isnt a question of "a user runs unknown code, they're screwed" - in this scenario the USER is the attacker.. they already have a legit account but it doesnt have administrator privs. They want to get past some restriction on their account - like maybe locate and disable any nasty corporate keyloggers that might get them fired for pr0n-mining, or plant some nasty stuff on a shared PC to grab other accounts credentials so somebody ELSE gets fired for it? Lots of attacks come from inside and lots of *nix attacks are described as "local root" compromises - thats what we have here.

To rephrase your statement its more a question of "if a user can get localsystem privs by running arbitrary code, you (as the sysadmin) are screwed."

This isnt specific to windows or any other OS for that matter. If any user can get arbitrary code to run with a higher privilege level than their own, this kind of hole exists.

Re:Ummm... 'Kay

[davebooth]

OK, clarification is in order here. This particular incarnation of the problem is indeed, as you so rightly point out specific to the win32 API. I promise you I never disputed that. I made 2 separate points in my earlier post.

• This is a variant of the "local root exploit" type of problem and as such is not as minor as the MS response to notification would have us believe. I think I can be fairly confident you agree with that point :)
• Local privilege escalation exploits in general are not specific to windows or any other OS and they are a problem wherever they appear.

It was not my intention to link these two points into implying that a win32 exploit can somehow be viable on other OSs that dont use this API and I apologize for not making it sufficiently clear.

Re:Ummm... 'Kay

[ThePilgrim]

At what level does the desk top run at? (HWND id = 0)

Hear you have a known window id can you exploit it.

Re:Ummm... 'Kay

[dannannan]

The real point is that the only apps that are insecure are the ones at the same privilege level as the user, or poorly written services that the administrator never should have installed.

This is because you can copy arbitrary data into another process but only if it's got a thread on your desktop.

Which applications would those be?

• The vast majority of them will be ones running as you. So you can subvert a process running as you. Big deal.
• The unlucky among us may have installed a hack job service, granting it LocalSystem access at the time they installed it. This service explicitly configured itself to be able to interact with the interactive desktop. !!!Big news!!! Hack job service compromises system!!!

A closer look at the "Overview" section of the white paper reveals that it opens with "In this example, I will be exploiting Network Associates VirusScan v4.5.1...", so this whole article looks like the case of the unwisely configured service.

This is all very simple, and it's been this way for years: if it runs as LocalSystem, uncheck the "Allow service to interact with desktop" box. Then there's no risk. You can't copy arbitrary data into the process, and you can't send it WM_TIMER messages. If you install a service app and it turns that option on, maybe you should look for a vendor with a higher quality product. And just to be on the safe side, set NoInteractiveServices to 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Windows.

(By the way, you're right that the bit about WM_TIMER in the white paper isn't even correct. The app that receives it has the opportunity to drop the message without dispatching the callback function, contrary to the white paper, whose author didn't even bother to investigate that claim before blurting it out.)

D

Re:Ummm... 'Kay

[handorf]

OK, but that AV program (which needs rights to run) shouldn't have a privledged UI.

Re:Ummm... 'Kay

[Wumpus]

Thanks for the information. If nothing else, this discussion shows that the problem reported in the article is more application specific than the author would have you believe it is.

This kind of exploit should be documented and understood by application programmers, of course. It's in the same class of bugs as using strcpy() on arbitrary user input. If you interview someone for a programming position, and they can't tell you why that's a bad idea, you should be worried.

Mirror, in case:

[Saint+Aardvark]

http://saintaardvarkthecarpeted.com/mirror/shatter .html

Re:Take control?

[Moridineas]

Why on earth is it crashing? Check your event logs. That should NOT be happening--sounds for sure like a hardware failure.

Here's the output from the "systeminfo" command on my work computer fyi:

Original Install Date: 3/15/2002, 11:24:37 AM
System Up Time: 60 Days, 6 Hours, 36 Minutes, 21 Seconds

Microsoft has had 7 years of warning.

[Quasar1999]

Microsoft was told about this flaw when it was first discovered 7 years ago. They still haven't fixed it.

In other news, microsoft is sueing the cnet for making a flaw public news. They claim they needed more time to fix it, 7 years just isn't enough time to fix the bug and test the patch...

Re:Microsoft has had 7 years of warning.

[donutello]

Read the article. I'll quote from the response included in the article.

It is the implementer of a program that decides what messages to handle
and how to handle them. This also means that an attacker needs to
figure out a way to use windows messages to actually get the application
to do anything useful to the attacker. Given this, I would recommend
that you contact the program's owner and let them know of your report.
There may or may not be a vulnerability for them to address, but the
program's owner should determine that.


It's a matter of design how an application reacts to messages.

Re:Microsoft has had 7 years of warning.

[DunbarTheInept]

The point is that the *default* behavior you get if you don't *override* one of the message handlers is the one that has the exploit. It's one thing to say that it's the application's fault when it opens a hole by code *it* added. It's something else entirely to say that it's the application's fault when it failed to write extra code to override some exploitable default behaviour. Any Windows program that has any GUI has this hole *unless* it overrides the default behaviour for the messages in question.

Re:Microsoft has had 7 years of warning.

[Old+Wolf]

The only way to fix this, at the OS level, would be to implement some sort of ACLs for windows messages. Apart from making things staggeringly slower, it would break all existing applications. Most Windows applications use timers.

Fixability

[Wrexen]

What's to prevent an administrator from installing a Message Hook that eats all EN_* or WM_TIMER messages sent between processes? Since your DLL would be living in each process space, you could detect inter-process message sending and block the attack from ever leaving the Shatter process. I don't see any reason why this shouldn't work

Re:Fixability

[erasmus_]

Finally, a constructive response to the problem. However, since you still don't have the capability of seeing what the source of the message is, I don't see how you can drop all of those messages with 100% certainty. Those API calls are there and are used legitimately as well, for better or for worse. So although your way coulf fix things, I wouldn't be surprised to see it breaking some applications along with it.

Re:Fixability

[Wrexen]

The basic idea would be to install a WM_GETMESSAGE hook. Contrary to what the writer believes, all messages must go through the queue. No two ways about it. At the hook level, we just examine the message and look for suspicious activity. Simplistically, all that really needs to happen is to look for EM_SETLIMIT and cap the WPARAM at some small value. It might also be good to remove callback addresses from WM_TIMER, or add verification (is the destination address part of the loaded executable space?). Most applications won't use the callback feature of WM_TIMER anyway.

Re:Fixability

[HopeOS]

A cursory look through the hook API does not suggest that one can block messages based on the calling process. There appears to be a way to determine if the current thread made the call, but that is largely useless. Threads post inter-thread messages all the time. The real question is whether that thread belongs to the same processes as the receiving window.

The callback function has the following prototype:

LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam);

nCode specifies handling semantics.
wParam specifies whether the message was sent by the current thread.
lParam is a pointer to a CWPSTRUCT structure.

The CWPSTRUCT contains the following:

typedef struct
{
LPARAM lParam;
WPARAM wParam;
UINT message;
HWND hwnd;
} CWPSTRUCT, *PCWPSTRUCT;

There is nothing of use here that would permit a filter to determine the origin of a message. At most it could kill all inter-thread messaging, seriously breaking multi-threaded applications.

-Hope

Re:Fixability

[Glorat]

Contrary to what the writer believes, all messages must go through the queue.

Correct me if I'm wrong but I'm pretty sure that PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination. Of course, an application could handle every message but in practice 99% of applications will leave the default windows handling of most messages. (Handling all manually is not feasible).

cap the WPARAM at some small value
I think you misunderstand that. WPARAM is a fixed size double word (4 bytes). The problems is that it is often used as a pointer to a memory location. Obviously, you can't cap the target of a pointer since no information is possed in the length

Most applications won't use the callback feature of WM_TIMER anyway
AFAIK, if you don't handle the callback feature (99% of apps), you get the default handling which is to execute the code as the article describes

Re:Fixability

[Wrexen]

You shouldn't be running terminal servers on your DB machine or webserver anyway, or be allowing random strangers with floppy disks to approach the machines. The total overhead would be probably about as much as your average virus scanner, and worse for UI intensive apps.

I think the real point is that virus scanners worth their salt will detect this anyway -- how often does a user need to paste hex data into a textbox? Blocking any paste operation with characters resembling machine code would be yet another reasonable work-around. "Not fixable" is FUD, this time directed at MS

Re:Fixability

[Wrexen]

Correct me if I'm wrong but I'm pretty sure that PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination
No. Both place messages in the queue, the difference is that PostMessage does not give you the return value of the message (and hence does not block).

I think you misunderstand that. WPARAM is a fixed size double word (4 bytes)
Exactly, but for the message EN_SETLIMIT, this is not a pointer.

AFAIK, if you don't handle the callback feature (99% of apps), you get the default handling which is to execute the code as the article describes
Which is why we would block timer messages with a callback parameter

Re:Fixability

[b0bd0bbs]

AFAIK you can still allocate ring 3 descriptors via windows DPMI calls, change them to ring 0 descriptors via an LDT mapping (which is legal in pmode the way windows sets things up), then execute any code in your program as ring 0. Woohoo. That *feature* has been around for at least 6 years.

Re:Fixability

[Uller-RM]

Not even really that - Hooks aren't allowed to modify messages, only watch them.

The only way I can see to defend against this is to carefully initialize all windows in the system before starting the message pump, using careful calls to GetMessage() with range filtering and checking the wndproc pointer at every step to make sure nobody's subclassed it from under your nose. Then, subclass all child windows to ignore EM_SETSIZE, WM_SETWINDOWTEXT, any non-essential messages. It's hardly a trivial task, though, and it'd have to be done per-app, in which case re-writing the code to not call DefWindowProc on WM_TIMER or any other callback message would be cheaper.

That, and the whole thing becomes moot if I create two passthrough DLLs, user32 and kernel32, the former patched with a handy dandy backdoor, the latter with a patched LoadLibrary() call to prevent apps from loading the unpatched versions directly out of the system directory.

Re:Fixability

[Wrexen]

Check again, WH_GETMESSAGE filters are explicitly allowed to modify messages

Quoth MSDN:
The GetMsgProc hook procedure can examine or modify the message. After the hook procedure returns control to the system, the GetMessage or PeekMessage function returns the message, along with any modifications, to the application that originally called it.

This includes modifying the message parameter itself (set to WM_NULL, WM_GETCHICKEN, etc.)

Re:Fixability

[glenebob]

PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination.

PostMessage() always puts the message in the queue. SendMessage() tries to bypass the queue, but that only works when sending to the same thread. If you SendMessage() to a different thread (or process obviously), the message goes in the queue and the function doesn't return until the target thread handles it, so SendMessage() could be called PostMessageWait() or something, but it's historical (in Win16 it really did always make a direct call).

The writer's statement is somewhat incorrect about this. The WM_TIMER message does go through the queue, but windows apps don't generally examine messages at the queue-read level. They just use an API call (GetMessage()) to pop the next message (and ignore its contents), and another API call (DispatchMessage()) to dispatch it to the proper handler function, where all the real work gets done. In the case of WM_TIMER, DispatchMessage() is what decides what function to call (based on the second message parameter). An app could technically block it by making sure the second parameter is a valid timer handler function.

Re:Fixability

[moogla]

Moot in NT based systems, AFAIK

Re:Fixability

[Old+Wolf]

Oh yes they would; timers can only run callback functions (they can't simply set event flags or anything). Timers are used all over the place; any event that has to happen which isn't in response to some other event (this includes any animation, flashing items, etc.)

NB - It would be possible to implement animation by a thread with Sleeps, but you have to be pretty gay to make a whole thread just for that

SD3, eh? Sounds suspicious.

[mbourgon]

[Scott Charney, Microsoft]
We're doing this thing called "Trustworthy Computing." It's an evolving concept. We've come up with our new paradigm, SD3[...]

A-ha! It's just a small leap to go from SD-3 to SD-6. Insert joke about covert evil organizations here.

Yes, it's funny. Laugh.

Read the BugTraq replies first

[pbemfun]

Before jumping to conclusions, read the reply to the "vulnerabilities" on the BugTraq mailing list here. Doesn't look like its something unknown to the public and its really more of a vendor problem, not MS one.

Re:Read the BugTraq replies first

[Ooblek]

I agree this is more of a vendor specific problem. The messages he is talking about handling can be overridden or ignored. Many developers use a wizard-generated framework to start their projects, which is probably where the example program fits into his exploit. Also, his assertion that it is unfixable is a bit premature given that the author has likely not seen the source code. Looks like someone trying to get their name out there as some sort of "security expert".

Maybe he doesn't know this, but DDE (Dynamic Data Exchange) uses this same method for inter-process communication. Its not used much anymore since it is rather slow, but some apps still do it for backwards compatibility. As with any communication mechanism, you have to check for buffer-overrun exploits as well as a multitude of other exploit areas.

Devil's Advocate...

[d_force]

It seems this exploit allows local users to escalate their privelages through processes running as LocalSystem. So, I could either do this or open up the system, take out the hard drive, re-write the OS, and put the drive back in the system. Yes, these problems do exist when you're forced to trust local users.

Simple fix: require each user to wear a straightjacket with their legs and arms bound to the chair; have them type via the mouth-to-pencil-to-keyboard method.

Re:Devil's Advocate...

[Algorithm+wrangler]

But as long as M$ allows E-Mail clients and even Media Players to execute random code at will, the "local user" is a matter of definition.

Re:Devil's Advocate...

[shannara256]

> Yes, these problems do exist when you're forced to trust local users.

Did you read the article? It's not only local users, it's all users. If you can get to the GUI, see a window that was RUNAS LocalSystem, and run a program, boom, you're more super than the superuser himself (the administrator). This applies to Terminal Services, Citrix, Remote Desktop, all of it. NOT just those who are actually at the computer.

> Simple fix: require each user to wear a straightjacket...
Yeah, because that makes sense in an environment where the users need to be able to use the workstations...

But, as others have pointed out (Otis_INF and cperciva, that I've seen so far), you shouldn't be able to see windows that were RUNAS LocalSystem... that's the fault of the application developers (Network Associates in this case), and not so much Microsoft's fault.

-Jason-

Don't Do That

[cperciva]

This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

You're not supposed to do that.

If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

Re:Don't Do That

[Rick+the+Red]

Exactly! You could write a similarly flawed Linux application that someone could exploit to gain root access.

Some Windows apps are not secure. News at /.

Re:Don't Do That

[rjh]

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

No to the former; yes to the latter. The reason why this is a critical flaw in the Win32 API is because it means that in order for code to be secure it is essential that every existing piece of software be carefully checked to make sure it separates interface from back-end.

If you're talking about a large enterprise installation with lots of closed-source apps and a vendor turnaround time on security issues which runs into the months--and there are a lot of them out there, make no bones about it--then your boxes are at critical risk. In that case, you're essentially guaranteed to have at least one app an attacker can root the box through. Sure, it may be the app's fault for not separating interface and back-end sanely, like most of us who give a damn about good engineering learned (sometimes the hard way)... but it's also the Win32 API's fault for not requiring separation of interface and back-end [*], it's the Win32 API's fault for being so shoddily designed that an attack like this becomes possible in the first place.

A good analog in the UNIX world is sprintf(), which has been responsible for more stack-smash attacks than probably any other thing. Even though we have snprintf(), most people don't know snprintf() exists or why it should be used. Like the Win32 window exploit, our sprintf() vulnerabilities will continue for as long as people write stupid code. Like the Win32 window exploit, we can't fix the problem by removing sprintf() [**]. All we can do is provide snprintf() and hope and pray that people use it.

sprintf() is a flaw in the UNIX/C API which has led and continues to lead to attacks against the system, facilitated by stupidly-designed software which uses the call even when snprintf() is available. sprintf() can't be removed without breaking literally thousands of stupidly-written apps which depend upon it.

This Win32 attack is a flaw in the Win32 API which has led and continues to lead to attacks against the system, facilitated by stupidly-designed software which doesn't separate interface and back-end. This Win32 attack can't be removed without breaking literally thousands of programs.

Hey, guess what, world? We've found Win32's version of sprintf(). Oh, happy day.

My condolences go out to any security engineers working in Win2K land. You guys have got your work cut out for you minimizing this exploit.

[*] Not that I have any idea how they could do this.
[**] sprintf() is defined in C89. Good luck getting rid of it.

Re:Don't Do That

[geekoid]

"you're not supposed to do that" is a poor security model.
its a fact that someone, many someones actually, will write poor code. It is a flaw in the OS that lets this happen.

Re:Don't Do That

> This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space. You're not supposed to do that.

You mean, like antivirus software?

Almost all programs on Windows have an integrated MVC design - I can't think of one that uses your (better) separated M/VC design. This is a flaw in more than "some" applications.

Re:Don't Do That

[Wakkow]

I'm not a 1337 coder and don't pretend to be one so please excuse my ignorance.. What exactly is the exploit with sprintf? I've never used it but now you've sparked my curiosity.

Anyone have any links or posts describing the issue would be appreciated.

Re:Don't Do That

[Heffe+Llama]

Even if they are not supposed to do that, I suspect that this could even happen with the CTRL-ALT-DEL handler that Microsoft put in, write a program that sends CTRL-ALT-DEL, then wait a few seconds, get some window handles and then have fun.

Re:Don't Do That

[handorf]

How dare you have a reasonable opinion on slashdot! My army of trained flamemeisters has been dispatched to beat you about the head and neck with copies of "The Road Ahead"

Windows is insecure. Linux is insecure. PROGRAMS are insecure.

Re:Don't Do That

[cpeterso]

sprintf() is defined in C89. Good luck getting rid of it.

Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

If glibc does not want to break source compatibility so drastically, they could move the dangerous functions to a new header such as "bufferoverflow.h". Or require the user program to #define GNU_BUFFER_OVERFLOWS_PLEASE before including stdio.h.

Sure this makes porting to GNU slightly more difficult, but I think GNU can pull this off because they have enough clout with developers and no profit motive to worry about!

Re:Don't Do That

[donutello]

In fact the response from the MS guy in his article read:

It is the implementer of a program that decides what messages to handle
and how to handle them. This also means that an attacker needs to
figure out a way to use windows messages to actually get the application
to do anything useful to the attacker. Given this, I would recommend
that you contact the program's owner and let them know of your report.
There may or may not be a vulnerability for them to address, but the
program's owner should determine that.

But somehow, the author managed to read the paragraph before and after that while ignoring this. The bottomline is that it is up to the app author to react to messages and whether or not they do is a matter of design.

Re:Don't Do That

[mojumbo]

--- From the Paper ---
The simple fact is that Microsoft KNOW that they cannot fix these flaws. The mechanism used is the Win32 API, which has been fairly static since Windows NT 3.5 was released in July 1993. Microsoft cannot change it. The only way they could stop these attacks is to prevent applications from running on the desktop with privileges higher than those of the user logged on. Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted. This is true, but only for Windows, and because of these flaws. Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.
------ (emphasis mine)

When ms quits writing desktop apps that are vulnerable, I guess everyone else will follow suit?

Re:Don't Do That

[_Sprocket_]

If I understand the issue... sprintf() has no sanity checking. So anything that uses it becomes a potential buffer overflow vulnerability. In fact, this article on buffer overflows and countermeasures mentions sprintf() and a few others (such as strcpy, strcat, gets) which are common sources of this kind of problem.

Re:Don't Do That

[_Sprocket_]

You must LOVE the old joke:

patient: Doctor, it hurts when I do this.
doctor: Well then, don't do that!

Re:Don't Do That

[ocie]

From the article:

Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it.

Re:Don't Do That

[_Sprocket_]

Wow! You're getting some great experience. You've learned how to do something, how experienced coders know how to do it better, and how much of the world views security issues as so much distraction that gets in the way of the real task at hand. ;)

Re:Don't Do That

[bwt]

sprintf() can't be removed without breaking literally thousands of stupidly-written apps which depend upon it.

Isn't this precisely the set of programs that need to be broken, so they don't allow root?

Re:Don't Do That

[ChrisPaget]

Actually, probably not - I researched this when writing Shatter. When you hit CTRL+ALT+DEL you actually switch desktops from the "Default" desktop to the "Winlogon" desktop. A program on one cannot interact with a program on another. There are functions to "open" a desktop and interact with it - however the Winlogon desktop is tightly restricted, and any attempts to open it are met with an Access Denied error.

Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.

Re:Don't Do That

[pclminion]

Why can't glibc help make the world a better place by dropping dangerous functions, such as gets()

Because that's ANSI/POSIX standard.

sprintf()

Because that's ANSI/ISO/C99 standard.

strcpy()

Because that's POSIX/ISO standard.

strcat()

Because that's POSIX/ISO standard.

Are you done ripping on GNU now?

Re:Don't Do That

[Shimmer]

Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.

Examples, please. Having a GUI that runs with elevated privileges like this is a very bad idea. I'm surprised that there's even one such commercial product, let alone many. I credit you with uncovering this shoddy application, but I still cling to the hope that it's unusual. Am I wrong?

-- Brian

Re:Don't Do That

[jdh28]

I believe that gcc already warns about gets.

john

Re:Don't Do That

[DunbarTheInept]

The following code has zero chance of having a buffer overflow, yet you want to have me replace it with an ugly mess of seperate calls because sprintf can be abused by ignorant coders:

char strVal[120];
int val1;
.../*then, further down somewhere*/...
sprintf( strVal, "val is: %d (decimal), %x (hex), %o (octal)", val1, val1, val1 );
There's no way for that to overflow the allotted 120 chars. No way at all. Yet you would take that away. Why?

If it is your goal to prevent all possible programmer mistakes then just delete the compiler from the system. It's a quicker means to the same ends.

Re:Don't Do That

[poot_rootbeer]

Who is this GNU you speak of? Where are there offices located?

Re:Don't Do That

[bnenning]

There's no way for that to overflow the allotted 120 chars. No way at all.

Sure about that? What if it runs on a system where an int is 128 bits? If your answer is "that will never happen", consider that that same logic led to billions of dollars spent fixing Y2K bugs.

yet you want to have me replace it with an ugly mess of seperate calls

snprintf(strVal, 120, "val is: %d (decimal), %x (hex), %o (octal)", val1, val1, val1 );

Re:Don't Do That

[cperciva]

use a pipe. Oh wait, thats only available in linux...

Err, pipes have been in Windows since NT 3.1, in August '93.

Re:Don't Do That

[jelle]

As is indicated at the end of the article, a Linux application running with system priveleges can create windows anywhere with no implications for security. Creating X11 windows does not give any other process any execution rights, but with Win32 and this shatter program it does.

Re:Don't Do That

[cant_get_a_good_nick]

Do a google lookup on "sprintf exploit" and you'll get a host of vulnerabilities. It's basically a stack smash.

Local variables are on the stack. Say you have some command, and it takes some input from a user, say a command line arg, environment variable, or from a file. In C, all local variables are on the stack. Say you want to sprintf that arg to a buffer on the stack, but assumes a size and never checks it. Then that data will overwrite the return value on the stack. When that function returns, it will not go to the old return address, but some other address that was in the buffer that sprintf wrote too. If you do this right, that return address will go to exploit code.

It's no more exploitable on UNIX than anything else, it's just what can you do with it? If the app taking the input is running as root then you can get root privileges.

Re:Don't Do That

[DunbarTheInept]

snprintf() isn't standard. I can't trust that it exists in any randomly chosen C environment. So you replace a theoretical future problem (128 bit ints) with a real existing problem today that renders the program uncompilable.) If that is a concern, use format-width specifiers for the values in the string, which is something that exists for both sprintf and snprintf. Truncating the string to 120 chars doesn't actually produce a usable result (it cuts off the last part of the string) if you are working with numbers large enough to need it.

So introducing snprintf doesn't fix a damn thing. It just destroys portability.

Re:Don't Do That

[DunbarTheInept]

if there is a real possibility of overflowing the 120 chars, then snprintf still isn't really a solution. It just prevents overflowed buffers, while letting the program happily continue under the delusion that it got the right result in the string.
If there really is a chance of overflow, then the length of the buffer has to be calculated and malloc'ed anyway for a correct result, whether dealing with sprintf of snprintf.

Re:Don't Do That

[mabinogi]

from MSDN:

Named Pipes

A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. All instances of a named pipe share the same pipe name, but each instance has its own buffers and handles, and provides a separate conduit for client-server communication. The use of instances enables multiple pipe clients to use the same named pipe simultaneously.

Any process can access named pipes, subject to security checks, making named pipes an easy form of communication between related or unrelated processes. Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network.

Any process can act as both a server and a client, making peer-to-peer communication possible. As used here, the term pipe server refers to a process that creates a named pipe, and the term pipe client refers to a process that connects to an instance of a named pipe.

Re:Don't Do That

[mabinogi]

>use a pipe. Oh wait, thats only available in linux...

or Solaris, or BSD, or Tru64, or AIX, or any other operating system that implements popen().

And Windows NT based operating systems have a related technology called Named Pipes, which work a bit more like local sockets, but can still be used to achieve the same goal.

Re:Don't Do That

[plaa]

Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

Actually, they warn about it for some functions. When compiling the following code:

#include <stdio.h>
int main(void) {
char buf[1000];
gets(buf);
printf("String:%s\n",buf);
return 0;
}

you get the warning

/tmp/cceHZ8M1.o: In function `main':
/tmp/cceHZ8M1.o(.text+0x14): the `gets' function is dangerous and should not be used.

even without the -Wall flag. It compiles, so it doesn't break anything, but warns that you're doing something stupid.

I guess the reason this isn't done for sprintf is that you can use that safely, as long as you make sure the buffer is long enough not to be able to overflow. gets() on the other hand is always dangerous.

I'm not sure whether there is any option to make it warn about sprintf also, but it would be simple to make a header that makes it impossible to use such functions. Of course, the coder must include that header/option to use the protection.

Re:Don't Do That

[Old+Wolf]

Well, some functions don't provide sanity checking and some do. The advantage of C is that you can select a function that runs as fast as possible (and isn't slowed down by bounds checks).

If you program in C then you MUST understand exactly what the upshot of each of your statements will be, otherwise you are liable to write insecure code.

sprintf() and strcpy() are useful sometimes, for example:

char buf1[16]; char buf2[16];
buf2[sizeof(buf2)-1] = '\0';
strcpy(buf1, buf2); /* or: sprintf(buf1, "%s", buf2); */

is perfectly safe. No possibility of error. It will run faster than if the third line were

strncpy(buf1, buf2, sizeof(buf1));

and much much faster than

snprintf(buf1, sizeof(buf1), "%s", buf2);

On the other hand, gets() has no possible secure usage that I can think of. Nevertheless it can be useful in learning C (if only as a way of introducing the topic of buffer overflows!)

Re:Don't Do That

[gorf]

...numerous windows...run as localsystem...

Of which software? Something that comes with Windows, other Microsoft software or third parties?

I haven't seen this mentioned anywhere. Yes, it's a serious bug in Windows because it lets you do that. But if Microsoft are doing it themselves then they can hardly yell vendor-issue, so if this is the case then it's far easier to claim that it's a serious Windows bug.

Re:Don't Do That

[cpeterso]

The gist of my rant was that GNU glibc should not worry about maintaining compatibility with DANGEROUS and BROKEN "standards". They can do better than the standards!

What about *other* resources?

[Tablizer]

GUI Windows are only part of the problem. Ideally, one should be able to limit the sections of disk and RAM that are used, and also how much disk and RAM are used.

Why fuss about just the GUI? There is more to applications and security than GUI's.

(It would be easier to clean off old apps if we could limit their installation range.)

Re:What about *other* resources?

[DunbarTheInept]

The fuss of the GUI is because the default handlers for the GUI WM_TIMER messages is exploitable. Using it one can cause the process attached to that GUI context to jump to any arbitrary instruction in its code. This bug occurs whenever a program has any GUI of any kind and doesn't override the default exploitable behaviour of this type of message that is *built in to Windows*. It's one thing to blame the app when the app added code that caused an exploit. It's something else entirely to blame the app when the app didn't add code to override the exploit in the default system it runs on top of.

Re:What about *other* resources?

[MadAhab]

Not a windoze programmer, eh? Windows and messages are central to the programming model. The number of exploitable progams is going to be either a) only insecurely written programs or b) at least one program on every computer or c) this guy really doesn't quite get it and is hyping something that's not commonly exploitable. I don't understand the attack well enough (yet) to know if it's c) or not, but i do know that there's no pragmatic difference between a) and b).

Re:Is this really a security risk?

[Marx_Mrvelous]

This is a huge risk. As any security administrator knows, more security breaches come from within a computer network than from without. Even if computers are locked in a computer room, what about the desktop machines? We currently use profiles to prevent people from installing unlicensed software. But with this exploit, that probably would not be very hard. This is a huge problem in Windows.

Evolving Concepts at Microsoft are Frightening

[guttentag]

We're doing this thing called "Trustworthy Computing." It's an evolving concept.

It starts out meaning "We are worthy of your trust."

Then it evolves to mean "You trust us."

Then it evolves to mean "You trust only us."

Then it evolves to mean "All your base are belong to us."

Re:Evolving Concepts at Microsoft are Frightening

[rseuhs]

Actually, the most important part of Microsoft-trustworthy computing is:

"We don't trust you."

Re:Is this really a security risk?

[topham]

A user opens a damn attachment, which you've told them not to do a hundred times, but one of them does it anyway...

No problem right, the attachment runs as that user and the damage is restricted? Only it isn't, because the attachment escalates itself to localsystem privledge and now starts really screwing around.

With any luck it drops itself on the network somewhere and some other soul mistakenly runs it and it gets domain privledges...

Re:Is this really a security risk?

[sysadmn]

Read the article. This is an escalation-of-privileges attack. Very few businesses give every user 'root' on their desktop. Now Microsoft has done it for them.

Re:Is this really a security risk?

[Slynkie]

The fact that it may require an attacker to be physically in front of the computer is the -point-. As others have mentioned, it's a matter of being assigned a certain (low) level of access, and giving yourself a higher level. Sort of equivalent to a local root exploit under un*x.

Think of the "Family Computer". Mom + dad put some content blocking software on it in order to block their son/daughter from accessing some particular type of content on the web. Mom + dad also install, to use the example from the white paper, anti-virus software.

Little billy logs in as himself, uses the shatter exploit to give himself admin privledges, and disables the content blocker.

At least, that's the way I understood it...

(btw, if it was me 15 years ago, I'd probably lock out mom + dad's accounts just for kicks, but that's besides the point.)

Re:here we go

[Rick+the+Red]

Even if M$ could take all of its employees off the Office, X-Box, and every other project, and put them to work on a new OS, it would be months before it could be released, and more months before there were any applications for it.

Microsoft isn't stupid. Even they know the best way to kill a project is to put too many people on it. The solution to your supposed problem (it's not as bad as everyone here hopes, and does not require Microsoft to write a new OS from scratch) would be to put together a cross-functional team to develop a new OS architecture, then spec the new APIs for that new OS. Then you bring in the Office guys, and have them write a version of Office for the new APIs, while you have the Windows guys (or whoever) write the new OS. But it'll never happen, because there's no need to do it.

Re:Is this really a security risk?

[Abcd1234]

Bull. Local exploits are just as important to avoid as remote ones. Anyone who thinks otherwise has their head in the sand. Ignoring the proliferation of remote exploits on the Windows platform, the fact is, people want to run multiuser systems on Windows-based networks (why do you think Microsoft rolled TS into their main product line? To promote this very thing!) And the minute you start allowing multiuser access like this, local exploits become a real concern. Imagine you're running a University using TS and a bunch of thin clients, and you happen to have a cracker enrolled in your program? The point is, in this sort of environment, you CAN'T trust the user, and so you can't take the chance that a local exploit could leave you vulnerable.

It's not even this hard

[leshert]

If you have physical access to the box, there are n ways to get your code executed in a Windows app. WM_TIMER (the callback version) is one, as are window hooking, CBT hooks (computer-based-training, although I've never seen it used for this purpose) forcible DLL loading (if you have access to the Registry), debug process attachment, CreateRemoteThread, thunking well-known DLLs (which is why Red Alert 1 won't play on Win2K without a patch--they can't thunk kernel32), etc., etc., etc.

Windows programmers have been using these methods for non-evil reasons for many years--the "3D look" of MS Office apps before Windows 95 was done this way.

The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text. Well, no kidding, they weren't designed to be secure, so they're not.

And like the case of telnet, making a secure but still 100% backwards compatible solution is pretty much impossible, as the article states.

Re:It's not even this hard

[NanoGator]

"The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text."

Oh I agree. I don't think fixing this would provide much 'security' anyway. The main reason that Windows gets beat up by trojans is not so much flaws in the system, but clever ways of executing features in malicious ways. The problem is never ending. The more features you add to any product (not just computers), the more ways you have of exploiting them in a negative way.

Look at Slashdot. Lots of steps (such as filtering the HTML...) are taken to keep trolling to a minimum. But, they still get through. As a matter of fact, somebody recently posted the Goatse pic in ascii. Heh.

The best approach you can take towards 'security' is to make the worst case scenario cause minimal damage. That's essentially what Slashdot has done with the karma system. People are always going to come up with amusing ways to use /. in a way that they shouldn't, but at least moderations help keep the noise level down and filterable. Frankly, I think this is a much better approach than trying to 'secure' Slashdot by trying to write an 'ascii-art detection algorithm'. (That's just an example, don't beat me up over it.)

In an ideal world posting a rule saying 'Dont post notti pictures' would be the end of it. In the real world, people think the problem should be solved by making the system incapable of displaying notti pictures. The best thing to do is to make the display of 'notti' pictures as unthreatening as possible.

Re:Is this really a security risk?

[Abcd1234]

Sure, you can't run unauthorized software on the servers. But what about fun stuff like packet sniffers and the like? Remote exploit tools? I could go on. The fact is, there's a TON of malicious code you probably don't want a regular user to be able to run from INSIDE your network.

Yes, but who's fault is it? Not MS'!

[Otis_INF]

When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

Now, under win32, the application you start, runs under the user you log in with. The virusscanner window in the example, SHOULD run under the user that is logged in, but instead, it's a GUI created from the service, running under 'System'.

Bad programming. Not from Microsoft, but from the Virusscanner developer. They should have created, AS stated by MS, a GUI less service (the virusscanner engine) and a GUI application which talks to that service via a named pipe or any other process communication mechanism. That GUI should then be started by the logged in user (since that user sees the gui and works with it), so there wouldn't have been ANY flaw like this, since the GUI isn't ran under 'System', but under the user who's logged in, in the example the 'guest' account.

It sounds serious, it's absolutely nothing.

Oh, and it takes a local user to exploit it. Get a huge hammer and give it to the local user. Ask that user to smash the computer. There ya go, a DoD attack which isn't fixable, you can get that attack-script at any hardwarestore.

Re:Yes, but who's fault is it? Not MS'!

[MORTAR_COMBAT!]

you're trying to say that a normal user can't bring up any MS-owned windows that run as system? you've gone through every app that MS ships, and all the dialog boxes, and none of them run as system?

Re:Yes, but who's fault is it? Not MS'!

[jasen666]

Log onto your w2k box as "guest". Open the "computer management" window. Go down to users and attempt to add a new one. The dialog opens up. Yes, even guests can at least open the dialog. This dialog runs as system. I can use this exploit now. Thank you.

Re:Yes, but who's fault is it? Not MS'!

[IWasNotMe]

I'm not sure how you determined this, but on my computer the "New User" window on my system is put up by mmc.exe, which is being run by me.

I verified this using Spy++ (from Visual C++) and Proccess Explorer (www.sysinternals.com).

Re:Yes, but who's fault is it? Not MS'!

[Doomdark]

that service listens to a port and executes all the crap that is posted to that port, is it MS' fault?

One more commenter who didn't even read the article aren't you? The exploit doesn't require app to blindly trust the user. App unfortunately does trust Windows API not to do stupid stunts like allowing certain messages (that may or may not originate from another app -- there's no way to tell either way!) to get to execute stuff without app having a clue as to what hit it. It's like opening a socket for doing basic network communication and Windows API allowing certain pre-determined 'helper' messages to be handled by OS before your app has any say to handling.

You are of course right about UI separation part -- as long as Microsoft really has made it totally clear that's what has to be done, for the security reasons article explains.

And as to needing a local user... yes. It's not a perfect remote hack. But that hardly invalidates the claim this is a serious issue, esp. for certain applications.

Re:Yes, but who's fault is it? Not MS'!

[rseuhs]

Everytime some issue surfaces on Windows, numerous MSFT-shareholders ^W -supporters come out of the woodwork and scream "It's not MSFT's fault! It's not MSFT's fault!"

First, why should *anybody* care whose fault it is? This reminds me of the Code-Red fiasco. The Windows-shills are not interested in solutions, the only thing they are interested in is that their sacred, worshipped Microsoft is not blamed. (Pretty good illustrated by the "smash computer with huge hammer" - exploit.)

Second, if Win32 is the only affected platform, maybe, just maybe it's MSFT's fault after all. But (see above) it's irrelevant whose fault it is. It's obviously a Win32 problem and a very good reason not to run a Win32-platform, no matter if Microsoft, evil hackers, CowboyNeal or the bad weather is to be blamed.

Re:Yes, but who's fault is it? Not MS'!

[Jerry]

it sounds serious, it's absolutely nothing.

Which is exactly why MS boxes get hammered over and over and over, or they act as platforms for DoS attacks over and over and over.

It's not the drunk's fault, someone keeps putting curves in the road.

Re:Yes, but who's fault is it? Not MS'!

[Tony-A]

So if someone figures out a major Linux exploit (which is about as likely as a MS exploit
Actually minor Linux exploits seem to be less likely than major Microsoft Windows exploits. Or maybe the Linux exploits seem to fizzle out and accomplish little or nothing.
Party line on /. "He don't know us do he?"
In this case, the guy is specifically taking advantage of sloppily coded third party apps.
Remove the sloppily coded third pary apps, and what is left?

Re:Yes, but who's fault is it? Not MS'!

[Tony-A]

But you can't blame MS when the shitty admins are really at fault for not installing the patch.
Oh, but I can and do blame Microsoft.
It took three days after the outbread for a search for CODE RED to return any results from microsoft.com. If Microsoft were minimally concerned about security, results would have shown up much more quickly.
I can, from my Microsoft Windows NT workstation, download the current RedHat fixes. From priority.redhat.com if I'm interested enough to login, or from redhat, or from the mirrors. These all tend to be rather informative as to just what is in the fixes, so I can make informed decisions as to what to download and what to install. I haven't tried the other way round, but I'd be rather surprised if it would work.
Personal Web Server is hardly advertised as requiring skilled administrators to install, set-up and maintain.

Re:Yes, but who's fault is it? Not MS'!

[MORTAR_COMBAT!]

i'll have to remember that when the next discussion of God's existence comes up. also, he was the one making positive statements (this is not MS fault) meaning, if that's the statement he wants to make, burden of proof, logical or otherwise, is on him.

Re:Take control?

[Steve+Franklin]

Depends on what you mean by "bad hardware." If you mean hardware that XP hasn't been well designed for, you may be right. I have had similar problems, specifically, an external serial modem that XP loses track of when I reboot, and a SCSI card it intermittently loses the driver for. I haven't had the kind of constant crashing I had with 98SE--but considering how long this series of OSes has been around, that's not saying very much--and I do have to reboot every now and then because it loses track of the location of the IP address server. Don't even get me started on why they rewrote the USB part of the OS so every USB equipment manufacturer had to extensively rewrite their drivers.

Get back under your bridge.

Re:Is this really a security risk?

[irix]

I've got news for you: local priviledge escalation exploits are still exploits.

Sure, it isn't as serious as a remote exploit. However, if you take the stance that once a user logs on to your system then you are 0wned, you don't have a real multi-user O/S. What is the point of having multiple user accounts with priviledge separation if you don't fix local exploits? Would you give every user on a system you admin root (Adminstrator) privs?

The fact that Microsoft is dismissing a local priviledge escalation as "not a problem" just tells me they still don't understand how to make a real multi-user enterprise O/S.

no, no.....

[Lord_Slepnir]

Their EULA reads "Essentially, you will allow us to take control of any window on your desktop." Glad I could clear that up.

High opinion

[timothy_m_smith]

Here is what the author had to say about himself at the end of the paper:

Foon, AKA Chris Paget, first started programming on a ZX81 at the age of 4. He's been working with computers for longer than most of the bosses he's had. After extending a BBC B to include an ADC capable of filling the machine's memory in less than 2 seconds and scaring the cleaners with automated voice warnings when they entered his room, he got bored and moved onto PC's and Windows, where the majority of his skills lie. Able to program in 23 languages on 14 platforms, Foon takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant - his CV is available on request.

Aren't we the most important programmer ever!

Re:High opinion

He also has never talked to, nevermind had sex with, a woman. He finds that he has trouble making friends, partially because of his inability to talk about anything besides the 23 languages and 14 platforms he can program for, and the onion-like smell which lingers behind is unshaven, rarely cleaned body. In order to make up for his indescribably small penis, Chris brings up debate in favor of technologies to boost his ego such as functional programming, UNIX, and any one of the 23 languages on 14 platforms already mentioned twice before that he can program for and you can't.

Re:High opinion

[greygent]

This poster finds it narcissistic and silly that the author wrote about herself in the 3rd person.

Re:High opinion

[topham]

Actually, the conversational manner of his Paper is a nice change from the typicly dry articles of the same nature from other sources.

Oh yeah, and it fits well with his target audience.

Or did you miss that part of writting? You know the part about "understanding your audience"?

Re:High opinion

[edremy]

Forget those, try Intercal

Re:High opinion

[Corrado]

ulambda is for lusers, try brainfuck!

Re:High opinion

[Salamander]

23 languages on 14 platforms? That's odd. As recently as 6 July 2001 Mr. Paget was posting a position-wanted ad on SecurityFocus, describing his language/platform knowledge as follows:

I am fluent (if a little rusty) in many programming languages (C, C++, Delphi, VB, VBScript, various assemblers), and I am keen to broaden my skills, specificially [sic] to include Unix and x86 assembler...my Unix knowledge is far from brilliant

One can only wonder which 23 languages and 14 platforms he knows, if several of the most important ones are notable by their absence or explicit disclaimer. Of course, he never tires of telling us he's a fast learner. Maybe he has filled in some of those gaping holes in his basic computer knowledge in the last year and a bit.

Re:High opinion

[zCyl]

the conversational manner of his Paper is a nice change

If you want people to believe you are authoritative, you must speak like an authority. That's just a fact of human nature.

Re:High opinion

[stor]

Heh, I can't help imitating C3POs voice when reading that.

Cheers
Stor

Re:High opinion

[topham]

Funny, I thought the facts presented dealt with that issue. Without putting me to sleep.

I've read a lot of dull papers and publications because of attitudes like that.

Or, atleast tried to...

Re:High opinion

[Tony-A]

If you want people to believe you are authoritative, you must speak like an authority.
That works if the audience is non-authoritative. They don't understand what you're saying and depend on your authoritativeness to assess your credibility.
If your audience is authoritative, the same authoritativeness is more likely to stir up hostility. Assuming the problem is real, it's surly not the only, and probably not the worst, unfixable flaw in Microsoft Windows.

Microsoft has done something about it...

[the_skywise]

It's true that once you're logged into a desktop, all apps that respond to Windows messages within that desktop are vulnerable, there are ways to secure your app from that.

Beginning with Windows 2000 (and possibly later editions of NT4), THE desktop became "Desktops" and they all run in their own space with their own Windows messaging stacks. "Desktops" cannot request window handles from other "Desktops" so this exploit is stopped. All Screensavers will be spawned into their own desktop, so that they can't affect running apps.
All apps can be set to run in their own "Desktop" as well. But it has to be proactively designed that way IN THE PROGRAM. The operation is not by default, and users cannot specify that apps run in their own space. (AFAIK)

Secondly, the documentation for making use of this feature doing so is (as usual) very fuzzy and poorly written.

It is also still possible to develop a ring 0 DLL which can query the existing desktops, get the desktop handles, and then query windows from within them.

Window "shattering" utilities

Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages.

Without this "flaw", programs such as RtvReco which automate closing dialogs and sending text, etc., would not exist. In fact, 4 years ago (gosh, its been a long time), at the curious age of 12, I wrote an extensive software suite to mess around with other applications' windows. Since then others have caught on -- Password Revealer, anyone?

I can't share my work because of bandwidth problems, but it was indeed groundbreaking. Through raw HWND handles or Microsoft's (or my own version) of the WinFinder control found in Spy++, one is able to select any existing window in the system. Arbitrary messages can be sent or posted. One can draw pixels over windows, enable disabled controls (as often found in shareware), send text to edit controls (I developed a simple scripting language to automate this process), right/left/middle/double click at any position (useful in closing annoying dialogs, like the dialup reconnection message for those on 56k), and even move or kill any window one choses.

As for the vulnerability itself...its well worth the read. Basically, shellcode is injected into an edit box by removing the CEdit's length restrictions. This is a valuable lesson to all Windows programmers out there -- do not rely on a control's restrictions to validate data! Its as dangerous as using JavaScript to validate web forms. Always in all cases check for buffer limits in the application code.

Of course, not all flaws can be blamed on the application developer:

The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly...

I've only skimmed the article, but this is the first documented exploit I've heard of in my half a decade of Windows programming. But its worth mentioning that these fundamental flaws have existed since Windows 95, and Foon is correct in that there's absolutely nothing Microsoft can do about it, except ditch the current Win32 API and start anew. Guess we'll have to wait until Longhorn. -sr

Re:Window "shattering" utilities

[rabidcow]

If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it.

Eh? But that's just not true, see the Remarks section of the docs for SetTimer:

An application can process WM_TIMER messages by including a WM_TIMER case statement in the window procedure or by specifying a TimerProc callback function when creating the timer. When you specify a TimerProc callback function, the default window procedure calls the callback function when it processes WM_TIMER. Therefore, you need to dispatch messages in the calling thread, even when you use TimerProc instead of processing WM_TIMER.

Of course, most programs will pass the message on to the default window proc if it's not specifically something it's looking for.

Re:Is this really a security risk?

[kableh]

It isnt necessarily an exploit, as he explains in his vuln-dev post: This is not a bug. This is a new class of vulnerabilities, like a buffer overflow attack or a format string attack. As such, there is no specific vendor to inform, since it affects every software maker who writes products for the Windows platform. A co-ordinated release with every software vendor on the planet is impossible.

Someone might want to mirror that site right quick

[jayhawk88]

Before the lawyers get wind of it that is.

So let's see if I've got this right...

[Mustang+Matt]

Someone high up at Microsoft is mapping a drive across the net on their XP powered laptop.

A theif grabs the laptop and takes it home, logs in as guest, gives himself administrator access, dials into the private microsoft dialup account using the saved dialup networking profile and then has access to the mapped drive and what else? VisualSourceSafe? Microsoft Passport backend?

I feel safe...

Re:So let's see if I've got this right...

[0x0d0a]

You mean the high security linux file server with an encrypted loopback filesystem preventing the exploit you're describing?

Re:Take control?

[MORTAR_COMBAT!]

completely agree. nearly ever XP and 2K blue screen i had was due to:

1) faulty hardware, e.g., bad memory chip
2) incredibly bad driver (which admittedly shouldn't crash the OS... but that's another discussion)
3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

The problem is developers not used to multi-user

[PenguiN42]

For example, the virus scan writer probably tests, develops and uses windows while logged into the "administrator" account interactively, as do most users. In Win98, it's not even a question -- you're always the "root" of the box. I'd wager that "What access could a non-administrator user obtain through our GUI/message interface?" hardly occurred to the GUI programmers for this particular virus scan software, even though their interface ran at LocalSystem (geeez).

As mentioned elsewhere, there are ways to avoid these problems: If you really need to use gui elements as administrator, run them under a separate desktop or windowstation where the interactive user can't touch it. Run the GUI interface impersonated down to a lower level, such as that of the interactive user. If you have to be administrator or local system, treat all input as untrusted, including (especially) window messages! Don't use edit box constraints as buffer limits. Don't use the default window procedure. etc etc etc.

It's true, however, that the default behavior for WM_TIMER is a pretty big security flaw (IMHO). But contrary to what this writer inaccurately claimed, you can still intercept the WM_TIMER message and handle it yourself, and any security-conscious program should never pass unexamined WM_TIMER functions to the default window procedure. This makes me start to wonder about other flaws in the default window procedures... as Microsoft wants you to think that the defaults it gives you are safe and secure. hmmmm...

Remember Folks: It may be unfixable...

[namespan]

... but it will also be illegal! So you don't have anything to worry about.

Unless you're one of those crooks who would publish the vulnerabilities to anyone but the company itself or the government, of course....

It's called Dotnet

[alext]

...or did you realize that? Sorry if I missed some irony in there.

Re:It's called Dotnet

[Rick+the+Red]

You're right! I missed that, probably because I don't consider .Net an operating system. But you could look at it that way, sure.

Virus in his code

[agrounds]

In the shatter exploit he's linking on his website, there is a virus in the sploit.bin file. It's a W32.Beavuh, and Norton Corporate flagged it immediately. So, surfer beware! It's hard to take security fame-seekers seriously when their code is trojaned.

Re:Virus in his code

[zoombat]

NAVCE picked it up on my computer too. From Virus List, the exploit gives remote access via a command shell.

Sounds to me like the whole thing might be a really bogus attempt just to root people's boxen. I guess that's what happens when we rely on "news sources" for security information.

Course it could be a false-positive, too.

Re:Virus in his code

[silentbozo]

In his notes he mentions "Yes, I know that I should have written my own shellcode."

I'd take that to mean he's "borrowed" a portion of the W32.Beavuh exploit to show that remote shell priveliges can be granted using his window messaging exploit. Of course, since this looks like it's live, I wouldn't recommend running it on a production machine hooked up to anything...

Re:Virus in his code

[kawika]

Duh! The exploit is *intended* to be malicious code that causes a buffer overrun in an application and could be used to break into a system. That's the point!

Hint to moderators: Try "Funny" next time.

Re:Virus in his code

[ChrisPaget]

Yes, an antivirus program will pick up the fact that sploit.bin contains the W32/Beavuh "virus". It's not viral - if you look at the Jill source code (where that shellcode comes from) you'll see that the shellcode is injected through the use of an HTTP header called "Beavuh". The initial shellcode parses through memory for this tag, then jumps to it. If you don't believe me, disassemble the shellcode. Failing that, get hold of a copy of Jill and verify that it contains the same "virus". In fact, I'm willing to bet that the same virus scanner will detect hk.exe as a virus, and probably a few others as well. Hell, probably even Netcat will be picked up...

Re:Virus in his code

[Clowning]

"I wouldn't recommend running it on a production machine hooked up to anything..."

Do you mean Windows or the exploit?

Re:Virus in his code

[davebooth]

Geez, guys.. He pulls shellcode out of an in-the-wild exploit and clearly says so and you act all surprised that the shellcode is picked up by AV software? Whats more he clearly states in his paper that he went looking for shellcode to spawn a command shell on a given port. Was it a bogus attempt to root the boxes he'd not have warned you first exactly what it was would he...

Re:Is this really a security risk?

[Mr.+Sketch]

Actually the attack seems to involve getting a handle to a window running in a process with higher privledges, which is trivial in windows. There is a nice function call WindowFromPoint that given a point on the screen, it returns the window handle under that point. After I have the window handle, a simple call to GetWindowThreadProcessId will give me the thread and process id that's in that window handle. After getting the process id, it's not that much more difficult to see what the userid/security class of the application is.

My point is that there doesn't have to be any user interaction at all, and that the program can determine which windows have a higher priority and escalate their privledges via this exploit. Also, it's not all that difficult anyways to just iterate through all the toplevel windows in the system (via the EnumWindows function) and check them that way instead of using WindowFromPoint.

Windows Exploit - most dangerous!

[teamhasnoi]

Look for a period by itself on the bottom left of the screen. It looks like an off-pixel. Hold down "Shift", then click on it.

Bam! Root access.

This works on the systems of the DMV, FBI, DOD, Equifax, Telephone and Utillity companies.

I couldn't believe it myself! I said, "This is so easy, even Sandra Bullock could hack this!"

Have local access? Try Locksmith.

[Futurepower(R)]

The method in the article seems like a lot of trouble.

This software provides you a new administrator password: Locksmith.

Umm...

[RadioheadKid]

Essentially, they allow you to take control of any window on your desktop

Isn't that what your mouse and keyboard are for?

Oh really?

[Osiris+Ani]

When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

Under Windows (at least Win2K), look at your Services control and find out how many of them are set to run as LocalSystem. Most to all of them? Ah, yes. Now look at how many of those are built-in Microsoft Windows components. Most to all of them? Ah, yes.

I suppose, by this token, that it's not the fault of the Win32 API, but instead each and every Windows service that Microsoft shipped and each and every third-party service delivered post-install.

Bad programming, indeed.

--
Please do not feed or tease the trolls.

Re:Oh really?

[dzym]

I'll step out on a limb here and say that not a single one of them is set to interact with the desktop.

Re:Oh really?

[handorf]

Not to imply that those services are secure (IIS comes to mind) but I cannot think of a SINGLE one which interacts with the desktop directly. They all have management programs which go through the registry or other communication methods (Com interfaces, etc) to interact.

They wouldn't be vulnerable to this exploit.

Re:Oh really?

[Doomdark]

No, no, no. Read the article, mr. Idiot. If it was about blind execution by app, Microsoft wouldn't be to blame.

The problem is blind execution by messaging system, without apps having a say on that. Send one of useful message to app's message queue, and see it executing useful code you provide.

Re:Oh really?

[cookd]

Not blind. You can toss any message between GetMessage and DispatchMessage if you want to, including all of the messages in the mentioned article -- consider it a logical location for a firewall if you are concerned about things like this. Windows doesn't simply respond to the message for you. It is the default handler that causes problems.

Re:Oh really?

[Doomdark]

Yes, and you are just reiterating what I wrote. Even though window has higher execution rights doesn't mean it has to let anyone use it as straight launcher tool for executables. That is the problem.

There are n+1 things that are not potentially good things to do, but that shouldn't be as fatal as this one may be. Is it really unreasonable to expect that there are no glaring security holes in your platform's GUI components.

Read the article and check comparison to X-Windows to see a sane approach to handling message queue.

Re:Oh really?

[Doomdark]

Hmmh. It seemed to me, reading the article, that some messages can not be handled by app even if it wanted to (the timer message mentioned). If you are right in that app can potentially get all messages and do proper handling, then article was indeed misleading.

Apps mishandling messages it gets (like just blindly executing them) is stupid, and none of MS fault. Article didn't make it look like that is the case though.

Re:Oh really?

[Doomdark]

Fair enough... the original article apparently got that wrong, then (and I trusted writer to have checked that). I guess that's good news, but I wish authors did check basic facts, as this was pretty fundamental chain in his reasoning.

Re:Jeez

[roguerez]

Perhaps I wasn't clear. What you are saying is not my point. I mean that when you're using Windows, all Windows are yours by definition, since it isn't really multi-user, so the 'vulnerability' point is moot.

Re:Is this really a security risk?

[dzym]

For that specific instance, you disable floppy access to the computer.

Remove floppy drive, disable floppy drive in BIOS and then password it, or simply configure the ACL to not allow floppy or CD access for anyone who is not an administrator.

Re:Executing untrusted code

[handorf]

I agree that secured platofms are important. Personally, though, I disagree that Dot Net is a panacea. It is possible to write insecure apps in any language or platform, and I can assure you that some .NET apps will be given admin privs.

As long as we programmers don't make security a priority, we will continue to have badly written apps.

You know... I usually don't defend Microsoft very much, but I guess all the "ARGH! The sky is falling" stuff got to me.

This isn't really news.....aka Winbatch

[haplo21112]

There is a well know programming language for doing this....

Its called Winbatch, and its a commercial product....

It's already fixed.

[Florian+Weimer]

It's called "window stations" and "desktops". There are separate hooks, message queues and so on. In short: everything that is necessary. Maybe there are implementation flaws, maybe the interfaces are extremely difficult to program (I don't know, I haven't tried), but the design is sound.

15 minutes of MSDN browsing were required to discover this (and I spent 10 minutes on finding the entry point to the API documentation using Mozilla). Why can't people read the documentation?

Won't work because of multi threaded/process apps

[Vicegrip]

Many applications actually use Windows messages to synchronize themselves between threads and processes.

In fact, there is also an API called PostThreadMessage that will post any windows message to any win32 application (all you need is the thread handle) with a message pump.

Out of process COM interfaces using windows messages will also be broken by removing this functionality.

Microsoft's excuse that having physical access to a machine is required is abysmal.

Re:Is this really a security risk?

[bwt]

In MANY networked windows environments, the network admins do not allow end users to have administrator right on the machines on their desk. The network admins, typically MCSE's, perform a variety of admin tasks using automated tasks (either login or chron based) at an elevated permission.

not just physical access

[MORTAR_COMBAT!]

it works across terminal server, also, which means you bring in a terminal client and plug in, get access to a user account (think there aren't any giant post-it notes of "my login/password" on half the desks in any given office?), and viola. they have rooted the terminal server and can do whatever the hell they want.

the terminal server may be behind 8 inches of steel and plexi-glass. but this compromise shatters that, too.

sprintf

[Ender+Ryan]

sprintf is severely flawed because you cannot tell it how much space is allocated for the string you are writing into. So when you call sprintf, you have to be sure that the sting you are writing into is long enouch, which in many cases is not possible.

Why this is only a Unix problem I don't understand, as sprintf is defined in ANSI C, so I would think it'd be a problem on any system with a C compiler.

Hopefully someone more knowledgeable will explain.

Re:sprintf

[handorf]

It isn't a Unix only problem. You can do the exact same thing with sprintf on any platform where you can find a version of it (e.g. almost any)

As the original poster said, snprintf is good, sprintf bad.

Re:Executing untrusted code

[fanatic]

then Dotnet will be in place and the party will be well and truly over.

yes and no. MS will (probably) eventually bring down the number of security bugs (though with their insistence on features,features,features and their gratuitous changes to APIs and protocols used to foil competition, it will never be 0 or even real low), but the real problem with Microsoft is not the stuff they do accidentally, it's the stuff they do with full knowledge and intention.

For example, if your files are in some proprietary format and you lose the right to run the software that reads that format, who owns your data? Before you scoff, remember that MS was one of the drafters and promotors of UCITA, which would/will permit software manufacturers to turn off software that they believe is not licensed correctly. (aka "electronic self help" - there are numerous ways to accomplish this even if you're behind a firewall.)

the problem...

[Pfhreakaz0id]

as others pointed out below, you should separate the parts of your service (or whatever) that need to run with system privs and have them talk to a separate GUI app (which isn't running with system privs).

The real problem is third-party apps. It doesn't surprise me that there are a TON which don't do this. There are a ton of things which just don't function when run under anything other than an account in the local admin group). I think this is a holdover from the 9x days. Hopefully, these problems are getting fewer, but I had a scanner which simply wouldn't work with a non-admin account. Tech support thought I was nuts "I don't want to do that! why not?".

the "culture" on NT/2k/xp is you are running under admin. The "culture" of unix is: Don't run as root! I would prefer to not have my usual account in the admin group and instead use a "run as" shortcut when I need it (or log in under the account). Everytime I've done this, I've gotten tired of handling all the little crap permissions and just switched my account back.).

What a load of tripe.

[Uller-RM]

I'm really, really disgusted that this even got posted. This isn't a Win32 vulnerability, it's a Virusscan vuln. (Watch my karma burn, I'm actually defending MSFT... but hear me out.)

For those of you who aren't familiar with Windows programming, here's what he's doing. Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input. So, he adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.) He then inserts shellcode in it, attaches a debugger to the process and searches all of memory for the start of the shellcode. Real efficient, this one.

He then sends it a WM_TIMER message to trigger it. WM_TIMER is usually sent to your window on a regular interval when you've called SetTimer(), and contains either an integral ID or a pointer to a callback in memory. So, he sends it a fake WM_TIMER, and Viruscan executes the callback blindly.

You know what, I use WM_TIMER too in my apps - but, there's two simple ways to defend against it.

if ((void *) msg.lparam != known_cb_address)
{
return false;
}

if (0 != IsBadCodePtr((FARPROC) msg.lparam))
{
go_fuck_yourself();
}

And if I'm not using it, special-case it so that it doesn't fall through to DefWindowProc().

Seriously, all this guy is doing is buffer overflowing a poorly written program to get Administrator privs. That's like claiming that glibc is insecure and should be thrown out because it has sprintf() or gets(). Ya know, I can buffer overflow a poorly written suid app too, but that doesn't make the libc to blame, nor have we published articles lambasting the GNU Project for not putting bounds checking into those functions.

This guy's just trying to sell himself, and you guys were more than helpful. Maybe I should write a system service that subclasses MSIE's WndProc with a single function that calls ExitProcess(1), and see if Slashdot will find me a security job.

Re:What a load of tripe.

[Glorat]

Sorry, I disagree with many of your comments here. While you've successfully tried to be objective without flamebait, some of the facts you have aren't true. I will try to be equally objective

This isn't a Win32 vulnerability, it's a Virusscan vuln
It is a Win32 vulnerability in that it is even possible to have this kind of elevation of priveleges by "poorly written" services. Basically, any system service that interacts with the desktop is vulnerable (virus scanners). McAfee interacts with the desktop. This is bad too.

Viruscan's GUI is very poorly written and doesn't check for a maximum length on a text box's input
It does, it has a set a maxlength of 4. Unfortunately, the vulnerability allows this to be bypassed. I'm sure the GUI will complain when you press the OK button but since we never get that far, the app never gets a chance to check the length change.

He then sends it a WM_TIMER message to trigger it... but, there's two simple ways to defend against it
That's good practice but the real problem is where you comment yourself... And if I'm not using it, special-case it so that it doesn't fall through to DefWindowProc(). It's too much to ask any app that doesn't use WM_TIMER to put in this handler in all their apps. Further, I bet WM_TIMER isn't the only message he could use to trigger code.

Seriously, all this guy is doing is buffer overflowing a poorly written program to get Administrator privs
Not any poorly written program but all desktop interactive services in existance.

Ya know, I can buffer overflow a poorly written suid app too
Fortunately, the community tends to be able to fix these things by patching the source. There is no fix for this problem

This guy's just trying to sell himself
OK, I will agree with you here... a little

Maybe I should write a system service that subclasses MSIE's WndProc
No no no... you've cheated. As a system service, you already have priveleges. The exercise of this paper was to do with with Guest priveleges

Regards,

Re:What a load of tripe.

[Uller-RM]

Every window's internal structure includes a pointer to a function called a WndProc. The function reacts to messages, and effectively defines how and what that window does.

The problem is that the vast majority of apps out there look like this, mainly since Microsoft uses this structure in their own books and help files:

switch(message_type)
{
case WM_CREATE: ...
case WM_LBUTTONDOWN: ...
etc...
default:
return DefWindowProc(hwnd, iMsgType, lParam, wParam);
}

Microsoft provides a moderately reasonable default procedure to fall out to, so that programmers don't have to write a case for every single one of the myriad standard messages.

The problem is that DefWindowProc doesn't check the validity of a code pointer before executing it, it just automatically jumps to any function specified in a WM_TIMER message.

So, without changing that function, any program that doesn't explicitly check for WM_TIMER is vulnerable... if there is a way to insert shellcode into the process' memory space. The exploit in the article can do it because Viruscan doesn't sanity-check their text boxes, so he can paste up to 4GB of material into the box, and tada.

Re:What a load of tripe.

[Uller-RM]

It is a Win32 vulnerability in that it is even possible to have this kind of elevation of priveleges by "poorly written" services. Basically, any system service that interacts with the desktop is vulnerable (virus scanners). McAfee interacts with the desktop. This is bad too.

By the same token, is it a UNIX or Linux vulnerability if I run an insecure daemon suid root and someone buffer overflows it to get root privs?

It does, it has a set a maxlength of 4. Unfortunately, the vulnerability allows this to be bypassed. I'm sure the GUI will complain when you press the OK button but since we never get that far, the app never gets a chance to check the length change.

I'd disagree with you there. Viruscan's assuming that nobody will fuck with its code (the worst mistake you can make when dealing with crackers) and that it'll never get more than 4 characters. Maybe it's just me, but I automatically check length whenever I do ANYTHING with a buffer, and usually I make a quick call to IsBadWritePtr(buf, len) or IsBadCodePtr(callbk) while I'm at it.

Yes, technically you can't prevent him from changing the text box's maxlength, short of subclassing the text box with a custom WndProc after initializing that discards said messages. But that doesn't mean you can't write your code in a robust manner.

It's too much to ask any app that doesn't use WM_TIMER to put in this handler in all their apps. Further, I bet WM_TIMER isn't the only message he could use to trigger code.

I grant you that - MSFT fucked up by writing DefWindowProc() to blindly execute a callback. However, while tricky, I don't think it's fair to say that it's an unfixable problem, or that this is any different from some of the assumptions made in glibc's functions.

Fortunately, the community tends to be able to fix these things by patching the source. There is no fix for this problem.

Yep.

No no no... you've cheated. As a system service, you already have priveleges

I was being sarcastic by that point. ^_^

Re:What a load of tripe.

[Mike_L]

The problem is that WM_TIMER is handled incorrectly by the Windows common control library. This means that every program that uses a standard Windows edit box, button, or scroll bar is probably vulnerable to this shatter exploit. Comctl32.dll IS part of Windows and hence it IS Microsoft's fault.

Re:What a load of tripe.

[jquirke]

Linux and FreeBSD don't really take advantage of the x86 ability to mark code as executable either. It's not just WinNT. Well technically the non-x86 ports do in the VM code, but the x86-specific VM code simple considers "executable" and "readable" the same thing.

No OSes these days really use segmentation to its slowness and complexity. They prefer to handle everything at page (VM) level, which really differentiates between system (ring0-2) and user (ring3) privilege levels. Also, x86 paging cannot change execution privileges on the code (this goes back to the design elements of the x86).

In order to implement something your suggesting would mean always screwing around the with GDT and LDT, and define regions in the virtual address space for each process for different purposes, in a manner which is inflexible.

--JQuirke

Re:What a load of tripe.

[dannannan]

Actually your WndProc will never be called in response to a WM_TIMER message. WM_TIMER messages are handled by a special case inside DispatchMessage, which is where the jump to the callback occurs. If you want to intercept WM_TIMER messages, you need to intercept them prior to calling DispatchMessage.

D

Re:What a load of tripe.

[Old+Wolf]

No - the problem still occurs even if VirusScan does check the size of the edit control. It occurs even if VirusScan never looks at the contents of the edit control. The edit control automatically allocates memory when it receives a PASTE message. Even if you then access the edit control and say "give me your first 4 bytes" (or "truncate to 4 bytes"), the entire paste is still in the allocated memory, which is enough for this exploit to work.

To prevent this paste you would have to either filter WM_PASTE messages (and any other messages that have similar functions), and/or filter the message which sets the maximum length of text.

Nice try

[The+Bungi]

This is very interesting reading (not). This dude is a 30-something loser wannabe hacker that throws away all measure of the respect he was trying to obtain by peppering his "paper" with 1337 speallingz like "0wn" and "sploit" to feel more in the know.

His "technique" is kidde fare, nothing any experienced Windows developer doesn't know. His whole premise is based on the idea that "running as SYSTEM" is bad - SYSTEM is designed to be used to run non-interactive services such as SMTP or MSMQ. Installing a service requires administrative rights, as does telling the SCM (Service Control Manager) to allow a given service to interact with the desktop. Microsoft's response is the one I expected to see given how long this "vulnerability" has been known. If you must run a service that interacts with the desktop, run it under a local account which can be locked down and prevented from doing specific things. If anything, this is more the AV vendor's stupid mistake than anything else.

There are tons of actual, real vulnerabilities and problems in Windows (outside of IIS), and most of them reside in the shell code. But those are significantly more difficult to get at than this.

So Mr. "Foon" has proved himself a real bofoon, showed us he sorta kinda understands the process messaging architecture and he knows how to use a debugger and, h^xx0r him, netcat. Woopdedoo!

Not to criticize the editor's "integrity" of course. Who would even consider posting this article for half a million people to see before checking the facts.

Hey, I know! I'll get a website, a kewl IRC handle like "boon", post some techie-sounding text related to some vague problem with Windows and then call it a paper.

1. Paper
2. ???
3. Recognition! Fame! Fortune! Girls! Coverage! Beer! Girls!

Re:Nice try

[demaria]

1. Paper
2. Have it spread around and read by a bunch of people, hopefully being misunderstood by all as a major completely unfixable security hole in Windows.
3. Recognition! Fame! Fortune! Girls! Coverage! Beer! Girls!

Re:Nice try

[Alsee]

Shouldn't that read Recognition! Fame! Fortune! Coverage! Beer! ?

I fail to see how post some techie-sounding text related to some vague problem with Windows is supposed to lead to girls :)

-

How do you rescind acceptance of the EULA?

[burgburgburg]

When the Windows Media Player patch came out, I installed it on a box that I sometimes use. It was only later that I found out about the DRM component of the EULA. I immediately removed WMP. But does that legally rescind my agreement?

I'm asking a legal question: does removal of the software constitute rescinding your agreement? Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

Re:How do you rescind acceptance of the EULA?

[Bingo+Foo]

Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

Here is where many people get confused by legal definitions and concepts of property, contracts, and so forth. Allow me to attempt to clear this up: Microsoft does not "own" your box. In legal parlance, Microsoft "0wnz j00!!!!!"

Re:How do you rescind acceptance of the EULA?

[DavidBrown]

Well, if you violate the EULA, you are in breach of contract. If you remove the software, you will be limiting your damages to the damage you caused prior to the removal. But the real question is this: Is Microsoft going to sue you? No, unless there are damages.

Is Microsoft damaged if you use their products to steal music? No, unless Microsoft gets sued by RIAA for providing software that facilitates your violation of copyright and then loses, after which they'll come after you in an action for indemnity. Until then, Microsoft isn't going to get anything from you in a courtroom because you haven't caused them any damage at all - and that means until RIAA and the MPAA sue Microsoft, you don't have anything to worry about.

Re:Is this really a security risk?

[Kraegar]

Or it drops itself in the all user's startup folder, to run silently... Then each time someone logs on it tries to copy itself out to their Domain Controller. Won't work for normal users, but next time someone with Domain Admin priveledges logs in... bam. Now they have your network.

Scripts to drop in a Domain Admin's startup folder and own a Domain are already preset in the wild. The tough part is putting them there, because you already have to own the box... using this, it's not bad.

Put those two together, along with the tunneling trick we saw in an earlier article, and suddenly you're tunneled in to a corporation's domain controller as a Domain Admin... and from there the sky is the limit.

It may just be my imagination, but...

[xA40D]

Does this particular problem suggest that Windows was not designed as a true multi-user network server OS. All apps can be accessed via a single desktop regardless of who the user is? WTF?

I started to worry about this when the Microsoft support site suggested a valid fix to get MS-Money to work was to give the user full administrator access.

Now it looks like they've built the whole API with this mindset.

Re:Is this really a security risk?

[topham]

What I liked was the response from microsoft. This program violated one of their 'laws' (of secure computing I guess) and therefor it doesn't count.

According to that philosphy no security holes count...

Re:Take control?

[Archfeld]

Man it must be nice being omnipotent. There are numerous reasons for this, maybe it was just one of the 20% of M$ boxes that improperly install for no apparent reason. Personally I kind of like WIN2k (*ducks*), but there are loads of issues that can cause the system to be very unstable, from OEM patch problems, to software driver incompatabilities, to of course as you mentioned an Ignoranus running the machine. I've seen disk rom cause XP to fail when trying to write a full buffer, which took more than 2 months to surface, and many hours of tracking down.

Might want?

[The+Bungi]

You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

And you might want to learn how to give a "paper" the once over (at least) before allowing fucktards like this one to root you in front of all your readers.

Re:Executing untrusted code

[alext]

Good point, but it's perhaps a little optimistic to assume that Linux will have this edge.

If MS provide the tools someone else can easily finish the job, e.g. providing a secure email program with workflow scripting, without imposing nasty stuff like proprietary file formats.

Re:Executing untrusted code

[handorf]

I wasn't speaking of your "Sky is falling" remarks but of those of others who feel that this vuln represents something new and terrible on the Windows front.

As for DotNet, as much as I like C# (after working in it for almost a bloody year now) and appreciate the easy things being easy and the hard things being possible, I'll withold judgement on it's securability until it's been around for a few years.

Lazy Programmers

[Detritus]

I don't think that it is fair to characterize the original developers of Windows as lazy. The typical PC was running MS-DOS, a primitive single-user operating system, when they were making the fundamental decisions about the architecture and design of Windows. Many of the design decisions that people like to bitch about can be traced back to what was necessary to implement a usable GUI on a grossly underpowered computer without protected memory or any semblance of a modern operating system. The Macintosh developers made similar decisions when they implemented MacOS on an 8 MHz 68000 with 128K of RAM. There is a huge chasm between a single-user microcomputer with limited RAM, CPU and no networking, and a modern networked multitasking workstation with a security model.

This is a flaw

[ChaosDiscordSimple]

At lot of people are saying that this is an application level problem and not a flaw in Windows. That is wrong.

The core result of the attack is that it is impossible for a high privilege program to display a GUI interface to a low privilege user. That is a silly limitation, certainly one that that other GUI systems like X Windows do not share. Sure, you can work around the weakness by having a low privilege GUI talk to a high privilege service over a local socket, but it shouldn't be necessary. This gross "fix" will complicate the situation, potentially opening additional security holes.

Microsoft tried to deflect the issue by hiding behind, "If the user is local to the machine, or can run his own binaries, he owns your machine." It sounds nice in theory, but falls apart when the "user" in question is actually an opportunistic virus looking to add the machine to a distributed denial of service cluster. Many corporate environments lock down the machines not for fear of user attack, but to limit the damage of viruses and other malware. If the malware can exploit this technique to gain elevated privileges, your security steps are worthless.

Ultimately, with a bit of care, a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise. If the operating system makes this impossible, the operation system has a flaw.

Re:This is a flaw

[Panaflex]

A comment on X:

X windows may possibly suffer from the same problem, though. Motif and AWT both use the Xt (X Intrinsics) code which does in fact use callbacks (simular to the WM_TIMER). Also, Xt allows applications to "talk" to one another through the X protocol and can understand paste from clipboards.

For an example, try running xedit and using editres to see this mechanism in action.

Though certainly, most people arn't running Xt based applications at root privelage levels... unless they're running SMIT or some other system management console.

Also, I believe it would be quite a bit more complicated to develop as Motif and AWT are complicated enough as it is.

Pan

Re:This is a flaw

[kevquinn]

It is perfectly possible to write the VirusScan thing properly in Windows. Microsoft even tell you how to do so, if you read all the stuff they've written about writing services, desktop apps and the like. Which you could reasonably expect a security software vendor to have done.

a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise

I disagree. It is unreasonable to expect the operating system to protect you from all possible types of badly written application. A high privilege program should restrict all means of interaction to a strict set that it can control and verify. In the case of VirusScan, the service should not be opening windows. By all means write unprivileged command line, gui, network etc applications which can use the single strictly controlled interface that the service handles, but don't expect to write the service to cope with any kind of input channel and demand that the OS protect you.

The simple (and obvious) way to write such software, is to write the privileged bit as a service (somewhat analogous to a daemon in Unix), and the GUI as a separate unprivileged user-land app. The service runs with whatever privileges are granted it, independent of the priviledge of the user logged in. The separate GUI application, running in the user space, communicates with the service by whatever method is convenient (defined strictly by the service). The service then checks all communications it receives for validity etc before processing any of it. This means that as long as the service checks its inputs properly, no malicious GUI app can force it to do things it shouldn't be doing.

The point is, Windows NT does not make this impossible. It does make it possible to write crap software that compromises security, but hey that's the case with any operating system. It's quite possible to write a 'su' replacement that doesn't check passwords, for example - there's a command line app idea that the OS won't protect you against, and it'd be handful of lines of C code.

It takes administrative rights to install the software; that's when it gets its privileges. In this case, it takes admin rights to install VirusScan, and that's when the security got compromised - the installation gave privileged rights to an application which opens windows on the user's desktop. I'm also not convinced that X isn't susceptible to the same issue; as far as I'm aware X uses a message queue to communicate between windows, the user etc - there's nothing in X to say you can't cause a buffer overflow in an application by sending it a malicious message, it's up to the application to check its inputs, and that includes its messages.

One thing this does show, is that closed-source software can't be trusted in the same way that open source can. It's a lot harder to perform a useful security audit on your system if you don't have the source code to the privileged applications you want to install. How would you determine that VirusScan violates the design guidelines for secure services, short of cracking it (which presumably violates the DMCA of course)?

Of interest, I wonder if the McAfee stuff has the same basic design flaw...

Re:This is a flaw

[Omnifarious]

Actually though, X doesn't really have this flaw.

Cut & Paste is handled very differently in X, and it's much easier to handle someone trying to paste evil things into your application. Cut & Paste is largely a set of agreements on how setting various window properties should be interpreted. X has no 'built in' cut & paste mechanism.

Also, X clear labels events that are from other processes, and not from X itself. So, in X, it's pretty easy to ignore events that are generated by other programs, not by the system.

Also, Motif, Xt, etc. all don't get the addresses of the callback to call from the X server. They look at the event stream from the X server, and decide which callback needs calling. A application that posted internal addresses to the X server and expected to get them back intact would be nieve in the extreme, and clearly poorly written. Whrereas that technique is the accepted way of doing things in Windows.

Is this the Allchin bug?

[Old+time+hacker]

Do you think that this problem is the one that Jim Allchin described as dangerous to national security?

If it is, then it seems a bit dishonest for the microsoft message author (Dave at the Security Response Center) to say that they don't consider it to be a bug.

If it isn't, then there must be another problem which is even more serious. Oh dear!

MOD PARENT UP

[MORTAR_COMBAT!]

and then mod me down. posting this one at +1 to attempt to get some attention...

um...

[sootman]

Is this just a Win32 problem? Probably, yes. The only mainstream competitor to Windows in terms of windowing systems is X windows.

*cough*Mac*cough*

Re:um...

[bnenning]

That reminds me, Mac OS X had a vaguely similar local exploit last year. If you ran a UI program that was suid root (such as NetInfo Manager), when in that program you could use the Apple menu to launch recent items as root. So launch Terminal as unprivileged user, quit, launch NetInfo Manager, select Terminal from Apple menu, and you get a root shell.

Apple released a fix within 48 hours of discovery, and as far as I know Mac OS X doesn't allow user processes to arbitrarily twiddle UI elements of other apps.

Re:Executing untrusted code

[dvdeug]

Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer

Well, Java runs on Linux, and .Net is being implemented on Linux, so we can use the same answers. Also, User Mode Linux lets you run a full environment in a sandbox, with no modification to existing programs. That's better than anything Java or .Net offers.

Re:Take control?

[1010011010]

Every blue screen on win2k pro I've ever had was a direct result of an ISAPI filter apparently crashing the kernel.

I'm not kidding. I was developing the filter, and in its early stages, it had memory leaks, dangling pointers, double free()s, etc. Blue screens! By killing the web server! Wow!

Re:Executing untrusted code

[NumberSyx]

Linux has about another two years to continue poking fun at Windows security defects, then Dotnet will be in place and the party will be well and truly over.

and

Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer

I would like to point out that Java runs just fine under Linux. The Mono and DotGNU projects are in the works, both of which will be answers to .NET . You are assuming .NET will live up to Microsofts hype and that Linux will not improve over the next 2-5 years. The past has shown, that Linux is constantly improving and that Microsofts products never live up to the hype. Microsoft has spent the last 5 years playing catch up to Linux in security and stability. They are still at least 2-5 years behind in both of these areas and I don't see this changing anytime soon.

Windows servers vulnerability

[Animats]

One big issue here is vulnerability of Windows servers. Anything that can execute code and can talk to the Windows message queue can own the box.

This is an issue for Terminal Server and for shared-hosting operations. It's also an issue if someone finds a Windows servlet with an exploitable buffer overflow. But if IIS is already running as administrator, as soon as you find a server-side buffer overflow, you're done anyway.

It's a nonissue only because Windows security already sucks.

Re:Take control?

[MORTAR_COMBAT!]

Every blue screen on win2k pro I've ever had was a direct result of an ISAPI filter apparently crashing the kernel.

your first mistake was using a kernel-privileged web server (IIS).

I was developing the filter, and in its early stages, it had memory leaks, dangling pointers, double free()s, etc.

your second mistake was writing bad code.

but i'll agree that writing bad code shouldn't crash the OS. but when you're developing on windows, that's the modus operandi (sp?). but who am i to kvetch? i learned my C code on UNIX, where i got segmentation faults, bus errors, all kinds of evil crap, and the program terminated, and the OS chugged along.

but try playing a bit with framebuffer programming on linux, and see how fast you bring down the OS :)

Don't worry too much

[p3d0]

This guy is so full of himself, I don't know how he could be taken seriously. He wants us to think he's David for MS's Goliath, and he has just discovered his sling. Well, I'll believe it when I see it.

If you have the patience to read through his smarmy instructions on how to reproduce the defect, you'll discover that he has indeed hit upon a rather serious security flaw. He then proceeds to give three strawmen--er, I mean possible solutions to the problem--and argues that since these three things can't fix it, nothing can. Well, I'm not convinced.

What if Windows' messaging were changed so that certain messages that are considered insecure (like WM_TIMER) can only be sent to windows owned by the sending process? What if the text inside an edit control were held in some piece of memory with no execute priviledges? These are two things that, I think, could solve this problem immediately, with little inconvenience to users.

Also, check out this guy's pompous letter to Microsoft, in which he states, "Since Microsoft already know about this issue, and any of your programmers will be able to replicate and verify the issue in less than an hour given the information in my advisory, I'm not prepared to wait very long." Clearly this, er, fellow has no experience in large software companies. Even good software has perhaps hundreds of defects outstanding at any given moment, at various levels of urgency, competing for developers' attention. Apparently he either thinks he's so important that he can jump the queue, or else he imagines that these armies of developers are sitting idly at their desks waiting for people like him to give them something to do.

Well, that's enough ranting. The upshot of it is, I wouldn't be too woried. He has not done a Jenga on Windows.

Re:Don't worry too much

[p3d0]

Good lord, take a look at the author's bio: http://security.tombom.co.uk/aboutfoon.html.

'Nuff said.

Re:Take control?

[dangermouse]

Pray tell, how are points 2 and 3 separate discussions? Windows XP is an operating system, ostensibly. If it lets applications throw it to the ground whenever they feel like it, then it has a serious stability problem. "But it's the apps!" is a lousy defense, since running the apps is the whole point.

This is not a commentary on XP's stability. I wouldn't know (and I have trouble believing 26 re boots in a day... that's insane). I just find your argument a little bit disingenuous.

Problems with X too?

[micahjd]

I know that the way X handles messages and the way Win32 handles messages are completely different, but there could be similar problems with X too.

Currently the X server almost always runs as root because it needs direct hardware access for accelerated video. If there were a buffer overflow bug or something similar in XFree86, a malicious X client could run code as root. This needn't even be in XFree86, it could be in an extension that isn't tested as well. For all we know, the binary NVidia drivers may be exploitable.

This IMHO is a great argument to stop running X as root and just implement acceleration in the kernel framebuffer driver when necessary.

Less tripe than you suggest.

[HopeOS]

I disagree with this assessment for several reasons. Even if the virus scanner code is junk, the attacker is successfully manipulating this program in ways that the program should not have to deal with.

1. If the program creates an edit control and specifies that the maximum input size is X, then it better stay X until it is changed by authorized code- namely the process that created it.

2. The means for fetching text out of that edit control is WM_GETTEXT. This message takes a destination buffer length as a parameter. It should not be possible to overrun the destination buffer regardless of how many characters are in the edit control. The input would merely be truncated.

3. The exploit code is most likely in the edit control's internal buffer- not the application's dynamic memory. Unless the user clicks OK or some sort of OnChanged handler has copied that data to a new location, the application has not had the chance to touch it. The attacker merely needs to guess the location of the edit control's internal buffer. Apparently, it's less difficult than one would hope.

And finally, even if none of that were the case:

4. Being able to send any message that passes a pointer across applications is foolish. I could send WM_GETTEXT or a raft of similar calls to an application and have it trash itself. The destination address could be any valid place in the target's dynamic memory. If the application attempted to validate the pointer, it would pass. Moreover, important information resides in dynamic memory, not the least of which is the vtbl pointers of important objects like MFC's global CWinApp.

Now, I have a question. How is that this code can be executed at all? Unless the permissions on the pages holding the exploit code permit execution, I don't see how the exploit can even run. Instead, I would expect to see some sort of access violation. Apparently not.

I will research this more.

-Hope

Re:Less tripe than you suggest.

[Uller-RM]

1. If the program creates an edit control and specifies that the maximum input size is X, then it better stay X until it is changed by authorized code- namely the process that created it.

I'd agree with you. Practically, Windows doesn't provide a mechanism for finding the originating thread of a message, and I doubt they'll hack one in now.

The exploit code is most likely in the edit control's internal buffer- not the application's dynamic memory. Unless the user clicks OK or some sort of OnChanged handler has copied that data to a new location, the application has not had the chance to touch it. The attacker merely needs to guess the location of the edit control's internal buffer. Apparently, it's less difficult than one would hope.

The child window's memory is still inside the parent's process, on the heap. It's actually quite difficult to locate algorithmically, though - he admits in the article that his technique relies on attaching a debugger to the process and searching system memory byte-by-byte for the string FOON.

That, and he mentions a buffer overflow, so unless he's using terms he doesn't understand and assumed that happened, the textbox is sending an EM_CHANGED message to its parent window. In reality I think his debugger's just finding it in the textbox and executing out out of there. See next para.

Now, I have a question. How is that this code can be executed at all? Unless the permissions on the pages holding the exploit code permit execution, I don't see how the exploit can even run. Instead, I would expect to see some sort of access violation. Apparently not.

None of the current Windows handles clear the execute bit in the GDT/LDT tables. Ya, I think it's stupid too.

Re:Executing untrusted code

[alext]

I was hoping someone would step in with these assertions - it's really time such complacency was examined:

1. Java runs on Linux. So it does, and will be well supported not by one product but by three (Sun JVM, IBM JVM, BEA JRockit). What a pity, then, that this commitment by the vendors is not matched by the Linux community at large. No significant GNOME or KDE application is written in Java, and KDE does not even have a LGPL Java binding!

2. Dotnet "being implemented" on Linux. Coincidentally, starting this morning, Dotnet is being implemented by me on my toaster, and I can say with confidence that with regard to the major APIs such as Windows Forms, both efforts have made similar progress, i.e. none. And if Mono / DotGNU does make progress, I'm betting they get sued for patent infringement.

3. User mode Linux 'superior' to Java or Dotnet. This is, frankly, a ridiculous statement. Firstly, Java and Dotnet provide guaranteed integrity of the application, something that's impossible to achieve when you have pointers floating about. Secondly, the rest of the system can be structured into a highly organized form where just the necessary amount of information is shared and rights given. For example, I can apply access controls to individual methods of an application, but a particular application may not itself even be able to read those controls, so it has no idea of who can do what.

The problem is really the same one that has bedevilled Linux already - choice is good when you can make it (KDE or GNOME), not so good when it is made for you via a chain of dependencies (Kmail requiring KDE requiring Qt). Coordination and control applied only to the kernel is no longer sufficient to warrant Linux being called a platform - unless enough momentum is built up behind some combination such as Kernel + IBM VM + SWT + Qt + KDE the platform will become so diverse and complicated that vendors will be unable to port their applications to it.

That's not the way it's documented

[BCoates]

Microsoft's documentation for WM_TIMER indicates that the code is run by the "Default Window Procedure". This is DefWindowProc, the function you call to handle messages that have gone unhandled by the application. If this is correct, the problem is fixable; the application needs to simply not call DefWindowProc for WM_TIMER messages with non-zero second parameters (unless it actually wants the code in question called).

This could be solved without major disruption in windows if DefWindowProc simply checked the address passed to it against a list of functions that had been previously registered by the process with SetTimer().

I haven't personally verified this, it's possible that the documentation is incorrect.

--
Benjamin Coates

What about Macs?

[sv0f]

The author writes:

Is this just a Win32 problem?

Probably, yes. The only mainstream competitor to Windows in terms of windowing systems is X windows. X is based on a similar underlying technique, that of queueing messages that are passed between windows.

Are Macs susceptible to such an attack?

reply to this:

[RelliK]

Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.

The author has addressed Microsoft's response in his writeup. Given that there are numerous windows running as LocalSystem on any desktop, Microsoft's response is a load of tripe.

Re:Executing untrusted code

[dvdeug]

User mode Linux 'superior' to Java or Dotnet.
This is, frankly, a ridiculous statement.

If you're asking for a platform to be secured, I can secure any program that runs on Linux using UML. UML allows you to use existing libraries and code, without breaking the sandbox). That's a huge advantage.

Firstly, Java and Dotnet provide guaranteed integrity of the application, something that's impossible to achieve when you have pointers floating about.

Nonsense. Having pointers does not prevent you from guaranting integrity of the application, nor does not having pointers mean that you can't get invalid data or malformed data structures. The only way to guarantee integrity is a formal proof of the program. In any case, Perl, Python, Scheme, Eiffel, Common Lisp and any number of other Unix programming languages make the same offer.

Secondly, the rest of the system can be structured into a highly organized form where just the necessary amount of information is shared and rights given.

Which can be done without Dotnet or Java. And frankly, I don't believe it will be done by any but the most anal programmers, and they could have done it in raw assembly on the bare hardware.

Re:Just so you know... AFAIK

[dimator]

And THANK YOU very much for linking to e2. I'll be clicking around there for a good 2 hours now, thanks for killing my productivity.

Re:Is this really a security risk?

[Bill+Currie]

copy con foo.exe
MZ[lots of alt-numberpad typing, hope you don't need 26]
^z
foo.exe
Windows doesn't even need chmod +x

huh?.

[BCoates]

Um, the documentation you pointed to says

The SetWindowLongPtr function fails if the window specified by the hWnd parameter does not belong to the same process as the calling thread.

Making it not terribly useful for priveledge escalation.

--
Benjamin Coates

This is the absolute stupidest thing Ive ever hear

[gamorck]

Look... I'm in no hurry to defend Microsoft but being as I develop for their OS on a daily basis - its common knowledge (or should be) that anybody who runs a service under system privileges that presents a GUI to any old user - is a fucktard that simply needs to die. Yes this problem can be fixed by MS using the 2nd option indicated in the paper and yes it would mean these crappy designed apps written by third parties would have to be rewritten.

Microsoft specifically reccommends that you do not run services and allow them to interact with the local desktop. Doing so is security suicide. Thats how VirusScan was running. Therefore its a McAfee issue since there are about a bazillion better ways to write this app.

J

Re:Executing untrusted code

[alext]

I think you're failing to distinguish between fundamental architecture principles and gossip.

Dotnet does protect against viruses - it allows precisely the appropriate level of privileges to be accorded to something like an email attachment. There may continue to be exploits, but unlike existing systems suffering from buffer overflows etc. the exploits can be fixed in the platform rather than the applications. A secure platform is a whole new ballgame over POSIX and Win32.

XP's own exploits are no more relevant to Dotnet than they are to Java - Dotnet has its own security model, and it is perfectly possible to put a secure environment on top of an insecure one, providing that the secure interface is the only public one.

You still seem to be confused about what a secure platform does. Essentially, Microsoft can ship you any 'binary' and you have the power to limit what it does (TCPA lock-downs excluded, of course - use Java as an example if you prefer). Therefore the issue of backdoors in an app need never arise - just deny it permission to open a socket.

On a positive note, I agree that having the source is the ultimate guarantee, though ideally you want both the source and a secured platform. The amazing thing is that Java has achieved this and put it on a plate for everyone - it's almost impossible to ship a Java application without allowing the source to be recreated - but still people persist in generating user applications with antedeluvian C tools. Java technologies and Open Source goals complement each other in fundamental ways, but the importance and potential of this has never been recognised.

It would help if the author understood windows...

[dark+druid]

This is not a security vulnerability in windows. In windows the security boundary for GUI objects is the window station/desktop. Within the same winstation or desktop you can send any message to any window you want. You can set ACLs on the window station to prevent low privileged users from accessing a window station or desktop. Services by default run in an isolated winsta/desktop on a per user basis (i.e. all the SYSTEM services share a winsta/desktop). No low privileged app can send anything to that desktop. If you check the let this service interact with the desktop option for a service then it is moved into the main user window station and desktop. That service can then present UI to the first user which logs into the system if it wants. The service also gets all the security risks of running in that desktop. If you choose that option then you get what you asked for and need to secure that code for running in the interactive session. Running this way also doesn't work with fast user switching or terminal server since you can have multiple users logged in at the same time. If a service wants to present UI to the user then it needs to run in a client server model and a process running in the user session and communicate back to the parent using COM/RPC/whatever.

Re:Fucking stupid

[DunbarTheInept]

So you think it's unfair to blame Windows when the exploit is in the default behaviour it gives you when you do nothing about one of the GUI messages?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Executing untrusted code

[alext]

If you're asking for a platform to be secured...

No, I'm asking for the whole system to be secured. That's where your approach comes unstuck.

Having pointers does not prevent you from guaranting integrity of the application...

You're using integrity in a much broader sense that most people do, particularly with regard to common security exploits. The advance that Java represented over traditional code models has been documented at length by academics - no other language in common use comes close, certainly not Perl, Scheme or Common Lisp.

The bottom line is that Java and Dotnet offer a a value proposition that no security-minded developer or user can afford to ignore, and for practical purposes no amount hand-waving about formal proof systems is likely to deliver anything remotely comparable.

it's the vendors' fault

[commodoresloat]

Yah, it's the vendor's fault for not treating the insecure services running "windowless" under Windows as damage and routing around them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why are people pretending this is not a problem?

[tlambert]

Why are people pretending that this is not a problem with the design of Windows?

It seems perfectly obvious to me that all you would have to do to fix this would be to associate applications credentials with messages as they are passed around, and not permit messages from a process with a lower priviledge to be sent to a process with a higher priviledge, unless a security association is established.

This would mean changing the messaging API, but it's fixable. It would merely mean recompiling all third party code that needed t communicate across priviledge boundaries, and adding code to programs designed to operate at higher priviledges to accept the new message type, rather than dropping it on the floor (making that the default), and make a decision based on that.

This is the standard "capabilities" security model, and is the same model that used for NT file permissions, in terms of a hierarchical inherited rights arrangement.

There would be a significant impact on "remote control", some install tools, and other packages that are not written with the idea of priviledge domain seperation, but it's *possible* to fix.

-- Terry

That's what happens when you do it wrong

[rabtech]

One of the primary rules when designing a service is that a service does not provide ANY USER INTERFACE WHATSOEVER.

A service listens on a TCP/IP port, named pipe, etc. If the virusscan writers had written their stuff PROPERLY, it would run the virusscanning engine as a service, and the user interface would be a user-mode program, posting and receiving messages from the service via named pipes or an IP port or whatever.

Imagine that you had a daemon running as root on your linux box that somehow popped up a UI in your X-windows session. Would you be AT ALL surprised if there was a way to exploit that to get root? I thought not.

The proper way would be to have a user program running in X that could communicate with the service.

Re:Executing untrusted code

[jedidiah]

"fundemental architecture principles" are something that Microsoft has never cared about. They even had the architect of VMS on their side and they still failed to deliver a robust product. All of Microsoft's propaganda won't erase the last 20 years of their management practices.

There is far more than mere "gossip" supporting those of us that are skeptical of anything that Microsoft creates.

It would be more efficient to simply resurrect VMS.

Re:Fucking stupid

[RadioheadKid]

Yes, quoting one of the more sensible /. readers:

This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

You're not supposed to do that.

If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

mouse / keyboard macros/control

[Barbarian]

Back in the days of Windows 3.11, you could record mouse macros and play them back (i.e. to automate stuff). Can this type of stuff still be done today? If so, an exploit doesn't even need a user to open a window for it (like the exploit paper suggested), it can do it itself. Also, perhaps an exploit can sit in the background and just wait for an appropriate window to open.

Ummm NO

[spacefrog]

How are you arriving at the conclusion that this dialog runs with system priviliges?

IT DOESN'T

The GUI comes from a DLL running inside the process space of MMC.EXE. It uses a fairly secure RPC/IPC mechanism to talk to Windows.

A simple trip through spy++ will even tell you the owner process in about 5 seconds.

Couple of points.

[Jade+E.+2]

First, although using cross app messaging to break security is new, the technique has been around for years. I can't count the number of shareware apps that 'limit' the unregistered version by disabling some checkboxes or radio buttons, which you can re-enable with the right messages.

Second, on the finger-pointing issue, yes the specific example he used is McAffee's fault for not seperating the GUI from the service, but as he said, there are several built-in ways to get a LocalSystem window with controls on it without resorting to exploiting 3rd party apps. In other words, if MS is going to point the finger at service developers, they had better include themselves in that category.

Third, a question about how controls respond to windows messages. I've never had cause to send messages directly (except custom messages), but AFAIK it's not a case where you can send a EM_SETLIMIT message to a control and it automatically sets it's limit. The application has to receive the message, interpret it, and set the limit on the control. The problem is that no major vendor I know of, particularly not MS, write straight to the API, they use libraries for their controls. And every control library I've seen defaults to handling EM_SETLIMIT messages by setting the limit on the control. If this works the way I think it does, then by not using libraries with open defaults, or by changing those defaults, you can write an app that only handles messages it expects to receive, hence this problem doesn't happen. (IE, do you know of any app where one thread really needs to change the length limit on a control in another thread? I can't think of any off the bat...) Can anyone confirm or deny this?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Like GTK

[0x0d0a]

GTK+ has the same issue. It was a *huge* deal when people started fighting about this, and eventually the decision was to just not let GTK apps run suid root.

Given the huge outcry about GTK+, I'm impressed that MS has had the same flaw, but for so much longer, with no one talking about it.

Re:Like GTK

[0x0d0a]

Actually, having read the paper in more depth, the exploits aren't exactly the same -- one can send messages to a GTK app to make it do nasty things, but not make it jump to random memory by sending bogus pointers. The end result is the same either way, though.

Re:Like GTK

[dfinster]

Given the huge outcry about GTK+, I'm impressed that MS has had the same flaw, but for so much longer, with no one talking about it.

I knew there was some advantage to closed-source...

Re:Executing untrusted code

[alext]

MONO, the Linux clone of .NET, but without the spyware and bloodsucking license

...and without the libraries, and the support from application developers. (But with the potential for having its butt sued by Microsoft).

Sounds great!

Remind me again, this delivers precisely what benefits over using the well-established Java VMs on Linux?

1) Deliver high media profile for Miguel de Icaza

2) ?

DMCA test case, right here

[Sloppy]

It's open season on Foon. Do you have anything copyrighted by you (that limerick that you wrote 10 minutes ago will do), stored on a machine that runs NT? If so, then you can sue Foon for trafficking in a program primarily intended to circumvent a technological measure that effectively controls access to your copyrighted work.

Re:Executing untrusted code

[Enigma2175]

You forgot

3) Profit

It had to be said...

Err. . .

[Com2Kid]

On a locked down box, misc apps downloaded from internet cannot be run anyways. . . .

Give users ability to run any app they want, and of course your security is going to be broken through sooner or later,

duh

Re:Take control?

[Reziac]

If I had to reboot 26 times in a *year*, I'd wonder WTF was wrong with my box. That said... when I first installed WinXP, it had (count them) *30* logged background crashes in the first six hours of operation, only two of which were presented to me as visible events. (Don't blame my hardware, that same machine dual boots WinME which has not crashed ONCE in almost two years now. An identical machine runs Win98 24/7 for weeks at a crack, and *never* crashes.) After the HD took a crap and was replaced, I had to reinstall XP.. this time it installed 600mb more files in \system (wtf??!) and has had a grand total of two background crashes (logged but not user-visible).

Anyway, occurs to me that if this guy's system has something screwy, like bad RAM or a buggy CPU or a crappy chipset, could well be that background crashes (normally disposed of transparently by XP) are being expressed as BSODs instead. (I *have* wondered what these background crashes do to memory, tho..)

I have four active WinBoxen -- the two above and two Win95 systems -- and I doubt if they've had 26 crashes in their combined total lifetimes, even tho WinME and the older Win95 box (which has *never* crashed in the year or so I've had it) are used to test every sort of crap. Amazing what sound hardware and drivers (and NOT installing M$Office, which is Windows' worst enemy!!) does for stability. :)

Re:Take control?

[Moridineas]

Please read the post before trolling--3/15 was the original install date.

Re:Take control?

[1010011010]

your second mistake was writing bad code.

Uh-huh. STFU -- I suppose that all of your early code in a new project is perfect. Are you really serious?

After all, now that I'm finished with it, it works, no memory leaks, crashes or anything -- running on production NT and Win2k servers (pays the bills, even though I want to gnaw my hands off some days) for about six months now.

But, of course, I am a total moron for doing a double free() anywhere, ever, regardless, right?

Gone are those heady days when you had to be REALLY CAREFUL, or your application could hose the whole operating system and crash the computer. Ah, those thrilling days of Windows 1.x, 2,x, 3.x, 9x, 2000, er... yeah, where you make any little mistake with memory, or locks, or pointers, and you're watching the BIOS POST again... uh-huh...

I didn't think that any part of IIS was part of the kernel in Win2k. But I have trouble explaining why a bad pointer access in an ISAPI filter blue screens the OS, other than... there's some kernel stuff happening there! I wonder if the buffer and ISAPI filter gets handed is kernel memory...

Re:I get blue screens all them time

[Reziac]

I don't doubt your experiences, but I've also heard that some of the WinDrivers for the Sony Vaio series suck to the point that you can't expect stability if you're using them. However with fully updated BIOS and drivers, there's no reason to expect Windows to misbehave on that system -- unless it's a model that has some flaw that tickles Windows but not linux.

As an example (albeit in the opposite direction) in my collexion I have a buggy 486 CPU that runs Windows just fine, but throws up all over OS/2 Warp3, and also pukes on some 32bit DOS programs -- and tho I've not tried it, I'd bet it would refuse to play with linux.

Re:You're stoopid

[Hostile17]

He makes a valid argument against Microsofts track record of producing software that does not work as promised, while you have trouble spelling simple words, HMM who am I going listen to.

BTW, it is spelled STUPID

What about this?

[RzUpAnmsCwrds]

Log on as Administrator. Go into "Services". Look through your services, looking at the "log on as" tab of each service. Make sure "Allow service to interact with desktop" is unchecked. Keep in mind that some services require this to have a GUI.

Re:Take control?

[Mandelbrute]

3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

Hey, I wouldn't call explorer.exe incredibly bad - but it certainly does seem to crash a lot on XP - even when it is the only thing running. At least most of the time it doesn't bring the sytem down entirely (can still give the three fingered salute and run apps from there).

Win2k was very happy on this hardware - XP is crashing four or five times daily - with purely MS applications and the most recent drivers.

Re:Takes 1min for me

[man_ls]

I am definately going to remember this. It might work at a place where there are NT4 terminals that authenticate off a domain, but local administrators have unrestricted access.

Re:sprintf is the wrong analogy

[J.+Random+Software]

Only a similar problem. Unless there's something dire about xlib that I've forgotten, POSIX systems don't tend to bundle user interface libraries that accept messages from any user, interpret a field as a function pointer in the server's address space, and immediately call that function whenever the app doesn't specifically overrides that behavior. That's somewhat exploitable even if you don't have a buffer overrun to take advantage of.

I'll throw my hat in too I guess...

[Mongoose]

Windows NT/2000/XP all have problems with applications running at 'System' or another level below 'Administrator' ( root ).

For example:

1. Setup a win2k box with a user, and make it so that this user can only run the app MS Word using your little GUI profile editor.

No write access to drives, no shell, etc.

2. Log in as that user.

3. Now run MS Word and...

Press Alt+F11
Press F5
Enter "wolf" as the procedure name
Enter "Shell "cmd.exe", vb.normalfocusfoo"
Press F5

Now using commands like 'control userpasswords' you can fuck up your nice little system.

Also using command.com ( 'NT DOS' ) with your macros you can get beyond kernel rescrictions, which is like the ntsd kernel debugger bug a while back that the patch didn't fix.

Basicly you can still 'own' a network with your garden varity macro virus still.

Hell, I consider it a feature -- you forget your admin password or want to install something by sending a 'macro agent' around the network.

Also don't forget XML+IE+Outlook, DDE, and OLE holes. Btw I never report these exploits I find... I guess BugTraq hates me.

--

Yes, this is why you have to reimage windows so often besides dll hell...

This is very serious

[Eric+Damron]

Especially when one considers the fact that a large percentage of network attacks come from disgruntled employees.

So keep your employees happy or don't run Windows!

This is the Win32 version of SUID vulerability

[cookd]

C'mon, people! This is nothing new. We all should know by now that writing priviledged applications is way different from writing normal user-mode apps. In this case, we have an example of how a poorly written priviledged app that interfaces with a local user might give the local user a chance to escalate priviledges. How is this different from the fact that a poorly written SUID app gives the user a chance to escalate?

Knowing what this guy brought up in his paper, it seems a lot more obvious why you are NOT SUPPOSED TO INTERACT WITH THE DESKTOP AS "SYSTEM" if you are running as a service. This has been common knowledge among Win32 programmers for a LONG time.

The UNIX model has some exploits to which Windows is immune, due to structural/design differences. And the reverse is just as true. If you don't understand the security practices required on your platform of choice, you shouldn't be programming apps on systems that need to be secure.

Re:Executing untrusted code

[dvdeug]

You're using integrity in a much broader sense that most people do, particularly with regard to common security exploits.

Shell scripts have no pointers. Shell scripts are bitch to make secure, because every line you have to make sure that there's no stray ` or $ in your input data that you aren't properly escaping. Any language that only has or encourages the use of fixed length strings has a potential integrity problem there.

The advance that Java represented over traditional code models has been documented at length by academics

What advance? Sandboxing is certainly nothing new, nor is pointerless languages, and many Lisps follow both rules.

Re:Take control?

[(outer-limits)]

Troll for this. I have suddenly had the same problem. An XP system that was reasonably stable, if very slow to boot up, suddenly blue screens all over the place, with various error message such as IRQL_LESS and something about POOL memory being release twice. It wouldn't even run in safe mode. Tried booting it up with the rollback to last stable configuration option, and it appeared to become stable again. Thought it was a hardware problem it was so bad. Perhaps one of those patches it downloads for you was a dud. Anyway, Can't say the previous post was a troll based on my own experiences.

what about other platforms?

[valmont]

i would like to get a bird's eye view understanding of what other platforms are doing different to avert similar issues? is OS X more or less immune to that? what about linux/X11? *BSD?

I'm thinking that unix was designed from the ground-up to be a multi-user environment, so for example students could compile their C apps for their CS101 class assignments on their own little shell account, while not being readily able to wreak havoc on the system ...

When microsoft states "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore", this means to me:

• windows is *by design* not a secure multi-user environment. Which is fine by me as long as they don't advertise it to be.
• the definition of "bad guy" seems fairly blurry to me, in light of the popularity of peer-to-peer applications which I'm sure would *love* to exploit such holes

are there still easy/obvious ways to root a unix/linux/bsd shell from compiling and running a piece of C code? aside from attempting to kill the CPU, infinite loops, and/or render the machine useless?

Re:Fucking stupid

[DunbarTheInept]

I know that that is the recommendation from MS. The difference of opinion is that you think telling programmers to not use it absolves MS of responsibility for their insecure GUI. I do not. If an application fails to jump through the reccomended hoops to avoid the flaw in MS's default behaviour, that doesn't magically shift the blame to the app. Note the word "default". It's very important here. The bug is what surfaces if you *don't* do anything special in your application program. If I burned a CPU chip that had a flaw that started the chip on fire whenever you execute an illegal instruction, it would still be my fault, even if I say "please don't have illegal instructions" in the programmer's manual for it.

Yeah really

[Otis_INF]

A service with no gui can't be exploited by this 'get handle for window and exploit it'-hack, stated in the article.

MS doesn't release services with a gui. Never. All services in windows coming from MS are gui-less, i.e.: the process ITSELF isn't opening a gui. Therefor the user has to open an application, thus it runs under the user's SID, to communicate with the service, via a process-communication scheme.

Re:Wrong.

[Tony-A]

IIS runs as IUSER_ NOT as the System account, and it has done this for years. The default install of SQL Server 2000 runs as a normal Domain user account NOT LocalSystem.
But Code Red and friends still propagate. Seems like Microsoft's idea of security has some problems.

Re:Executing untrusted code

[Tony-A]

Linux has about another two years to continue poking fun at Windows security defects, then Dotnet will be in place and the party will be well and truly over.
Yes, but which party?
These is something of a progression of Melissa to Code Red and Nimda to Klez. The worms and viruses are getting smarter and Microsoft still doesn't have a clue as to security.

that just delay.

[leuk_he]

It seems this exploit allows local users

You can still type malicious code with a pencil. Better is to solve the "local" problem: Send the use to the north pole.

Why the hassle with the EDIT field?

[kris]

Why the hassle with the editfield? As far as I can see, code is being executed with the address space of the security relevant process by receiving WM_TIMER or any other message that accepts callback addresses.

So any method to inject code into the target address space is okay, even writing the exploit into configuration files, registry keys, or sending it in network packages so that it ends up in any input buffer. Just send the WM_TIMER to activate it.

Pot, meet kettle

[sql*kitten]

You know, I remember when you could do all sorts of fun stuff with X11. For example, you could layer a transparent window on top of a display, that passed keypresses and mouse events to the window beneath it - and capture everything the user did. You see, most people used xhost for security - which meant that you gave control of your display to anyone who had access to the machine your X client application was running on.

Due to this, we now have xauth and MIT Magic Cookie. Anyone who says a security hole "can't" be fixed is naive - even if the fix is a kludge. MIT Magic Cookie is easily snoopable, so that's another security problem. The X11 protocol itself is easily intercepted, so we have to tunnel over SSH.

I could go on, but I've made my point. Linux users who take it on faith that they are secure are sadly misguided - as are those who believe that Windows is inherently less secure. Ultimately, it comes down to the skill of the sysadmin to secure any OS.

Re:Pot, meet kettle

[gorf]

Maybe I'm missing something.

How long have MIT-MAGIC-COOKIES been around? People care about what security is about now, not however many years ago. That's why networks are sniffable; people considered the issues and decided it wasn't worth the effort at that time. Now that it is worth the effort, we have IPsec (and VPNs) and ssh.

As for xhost authentication, that was by design. The people who designed it knew perfectly well what it didn't do. And X11 being intercepted? All along it is generally accepted that the network is sniffable unless you take additional measures. And that is by design, and that is the purpose of ssh (which admittedly came along later when security became more of an issue).

I don't know how true this Windows bug is, but this issue certainly isn't there by design.

Ultimately, it comes down to the skill of the sysadmin to secure any OS.

I secure myself from X issues by using X tunnelling. How do you secure yourself from this problem then?

Re:Pot, meet kettle

Not just "pot, meet kettle".

The warning comes from a 23 year old "genius" who describes himself as knowing a couple hundred languages on x different platforms and capable of learning any new language in 3 days, but who doesn't know that this "issue" has been known for years, and isn't a security flaw in windows, but in the application software (in this case, viruscan).

The same flaw (letting a process that runs at system level interact directly with the desktop, against warnings in MS docs never to do that), also exists in HP printer drivers (to name just an example), and is a thousand times more easily exploitable there -- all you need is physical access to the machine.

I'm including a description below. This made me raging mad at HP a few years ago and is the reason why I'm forbidding the use of HP printers anywhere in the company.
After being sent from phone to phone when I reported it, when I finally reached someone who understood what I was talking about after having talked to support people in 3 different countries, it appeared that (a) HP was aware of the issue and (b) they found fixing it to be too much of a hassle, since there was an easy workaround: disable bidirectional support on the parallel port, so the driver can't detect printer errors.
That guy actually made it sound as if I was stupid for not having thought of that "fix" myself.

I ran into the problem on a system where my own app was running as shell, but below is an easier way to reproduce it.

It worked (works?) under NT4, but I wouldn't be surprised at all if it's still the same in XP:

- You need a PC with a HP printer attached, with the drivers installed from HP's CD (not the drivers that came from MS on the windows CD, those are safe). It was confirmed to work with deskjets in the 600 and 800 series.
- Open notepad. Type in some random characters.
- Click Start/Shutdown, and hold down ctrl+shift+alt while clicking "Cancel": this closes the shell, while notepad keeps running (a less known, yet documented trick to close explorer.exe as the shell while remaining logged on).
- Remove all paper from the printer, then print the document from notepad.
- A tabbed dialog will pop up with a message about the printer being out of paper, and diagnostic and help tabs. That dialog also gives access to the help file that came with the driver, from there you can go to the printing problem solver, and there you can open the printers control panel.
- Do that. The printers control panel will be opened in explorer, but because explorer.exe is also the shell and no other instance is running, it will start as the shell instead and your desktop and taskbar will reappear.

Congratulations. You are now logged in with system privileges, because the HP driver displays the error message under the system account, the help file inherits the privilege, and so does explorer in its turn.

Re:Pot, meet kettle

[gorf]

Sorry, I meant the Windows security problem this article is about by this. I was wondering how you protect yourself from it since according to you a competent sysadmin can do so.

Way around the standard?

[Jeppe+Salvesen]

What if the gcc/libc people made sure that the compiler issued big, loud warnings whenever sprintf() and other vulnerable functions were used/compiled? Would that explicitly break the standard?

The man page needs updating too, there is a mention of the overflow potential in the "bugs" section, but it's not explicit enough (IMHO).

Shoddy work, mistake in the whitepaper!

[dannannan]

This white paper makes several allegations, not the least among which is that there is no way for a user-mode app to mitigate the security risk it presents. This is untrue, however, and appears to be the result of a failure to investigate properly on the part of the author! User mode applications can be rewritten to guard themselves against malicious Win32 message-based attacks. That's because every user-mode app has full say in how every message is handled, contrary to the white paper.

From the paper: "As far as I know, the message [WM_TIMER] doesn't even go into the message queue, so the application doesn't even have a chance to ignore it."

The previous post follows the theme with: "It's like opening a socket for doing basic network communication and Windows API allowing certain pre-determined 'helper' messages to be handled by OS before your app has any say to handling."

Dave at Microsoft did a thorough investigation with the developers who were familiar with the relevant code and replied to the author before he released his white paper (8/5/2002): "It is the implementer of a program that decides what messages to handle and how to handle them."

The author could possibly have arrived at his erroneous conclusion by writing a test app and monitoring calls to a message handling routine when certain types of messages were sent to the app. Observing that a WM_TIMER message sent to the app was processed without the application-supplied message handler being invoked, one might conclude that it is therefore impossible for an application to guard against WM_TIMER-triggered attacks. This test is flawed.

The standard message dispatching pattern you'll find in common Win32 programming books (e.g. "Teach Yourself Windows 95 Programming in 21 Days" by Charles Calvert) and even in sample code from Microsoft goes like so:

1. Wait for a message to arrive in the queue (GetMessage)
2. Optional logic to crack certain types of messages for easier handling later (e.g. TranslateMessage)
3. Dispatch the message for handling by an application-specified handler routine (DispatchMessage).
4. Repeat until a special message arrives that breaks the loop.

No message is processed until the application calls DispatchMessage. DispatchMessage contains special-case logic which handles WM_TIMER and WM_SYSTIMER events *without* invoking the application-supplied message handler, which is why tests similar to the case I mentioned above don't show a call to the message handler for WM_TIMER messages. However, the message will only be processed if the app calls DispatchMessage.

Applications can guard themselves by inserting a (possibly non-trivial) step 2.5 into the pattern above: security filtering of messages prior to dispatch.

So, the basic Win32 thread messaging API calling patterns are flawed when used in situations where applications with different privilege levels coexist on the same desktop. Dave already pointed this out in his email response to the white paper author on 8/5/2002. Message filtering needs to be added to those specific applications in those cases if there is to be any measure of security.

Also, the most privileged service applications (those that run as LocalSystem) can't create windows on the interactive desktop by default, which means that they aren't vulnerable unless someone checks a box that says that they should be! That feature must specifically be enabled (see the "Allow service to interact with desktop" checkbox in the Services UI). Services that run in security contexts other than LocalSystem don't even support the "interact with desktop" functionality.

The conclusion of the whitepaper -- that there is no way to write a service to be secure -- was not proven. The author should have done a better job of investigating his claims before publishing this paper.

This really boils down to a case of poorly written services exposing more "services" to users than they intended to. Several good posts on this /. topic echo that too. At least we've raised awareness.

D

Re:Shoddy work, mistake in the whitepaper!

[Old+Wolf]

High-level IDEs (eg Visual C++, Visual Basic, C++Builder etc.) automatically provide message queue processing for each control. Even with the message you are suggesting, one would have to filter the calls to DispatchMethod. To secure an application against this attack would be a monumental piece of work -- to write your own message handler for every control, and filter out all possible harmful messages (or alternatively, filter in exactly the messages you want). And then for the dangerous messages (WM_TIMER etc). you have to figure out whether it was a real timer in your application, or a spoofed timer message.

I'd hate to see the source code of a program like this.

Re:Executing untrusted code

[Tony-A]

Microsoft has spent the last 5 years playing catch up to Linux in security and stability. They are still at least 2-5 years behind in both of these areas and I don't see this changing anytime soon.
And Linux is maybe 2-5 years behind the *BSDs.
OpenBSD: "One remote hole in the default install, in nearly 6 years!" (And that fish looks mad;) Methinks that is actually a stronger statement than when they were running "No remote holes ...".

You are assuming .NET will live up to Microsofts hype
No matter how good a job Microsoft does, it's a monoculture and there's always a crack somewhere. Linux does not have that problem because there's a bunch of subtly different ones out there and there's always a few wiseacres who insist on doing things their way. Security through obscurity can work, but it does presuppose obscurity. A monoculture is *not* obscure.

Re:Executing untrusted code

[Tony-A]

Therefore the issue of backdoors in an app need never arise - just deny it permission to open a socket.
Right. Close one hole and ignore any communications with apps that DO have permission to open a socket.
Security is a perimeter-type thingee. There is no "just" about it.

Re:Executing untrusted code

[jpmorgan]

The only way to guarantee integrity is a formal proof of the program.

It's funny you mention that.... that's exactly what the .NET runtime does - it effectively proves the program doesn't violate any security or integrity restrictions before it allows it to run. To be able to do this programmatically requires heavily restricting the use of pointers.

And yes, you can write a program that uses pointers in .NET - but such code is marked as 'unsafe' and requires special privileges to run.

Re:WARNING Virus in article download!!!!!!!

[jeremyp]

So your AV is doing its job properly. It doesn't know that you actually *want* that exploit.

Re:Why are people pretending this is not a problem

[tlambert]

Windows 3.1 dosn' have memory protection, so messages are the least of my worries. I can just rewrite code pages willy-nilly, instead of having to be clever and use messages.

We ware talking about fixing Windows as it exists today, and as it is being claimed to be "unfixable".

Unix checks credentials *all over the place*, any time you make a call into the OS.

In Windows, the only place you'd need to check is in the message sending functions, in KERNEL32.

One of those credentials, the sender's is going to be cached, and the receivers is going to be available with an add and a register dereference, since you have to have the queue available to enqueue it anyway.

Also, don't forget that the vast majority of these messages come from the UI, which is connected to a human being, whih is significantly limited in it's ability to generate messages as fast as Windows can sink them.

The major issue would be Winsock's hidden window for asyn WSOCK32 API implmentation. That's not an issue on any version of Windows that uses the BSD stack, rather than implementing it in user space (quick rule of thumb: if you can register a File I/O completion event, then your socket is a file descriptor, and your TCP/IP is implemented in the kernel, rather than in user space).

In other words, it's not a problem.

-- Terry

Re:WARNING Virus in article download!!!!!!!

[grub]

bzztt.. sorry Buckwheat, Kaspersky AV doesn't detect a virus. Likely Norton sees Evil 3l337 sh3ll c0d3 and gives you a false positive.

Re:Take control?

[MORTAR_COMBAT!]

thank you.

Re:Take control?

[MORTAR_COMBAT!]

i guarantee that when you're using IIS on Win2K, many of the messages get tied up in the kernel. hence the BSODs you get using bad filters on IIS. otherwise, the bad code would just halt IIS, now wouldn't it?

Re:Executing untrusted code

[NumberSyx]

And Linux is maybe 2-5 years behind the *BSDs...".

I am 100% in agreement with everything you said. Linux security does leave something to be desired when compared to *BSD and I encourage anyone who has serious concerns about security, should use *BSD. Microsofts biggest security problem is the monoculture they are trying to force on everyone, if they would back away from thier monopoly and allow a diverse computer environment to develope, things like VB Script virus's would be a minor annoyance instead of headline news.

Re:WM_TIMER

[Wumpus]

Not really - in some cases (subclassed windows, for example), a control's window procedure might want to trap a message, and then re send it.

Re:Take control?

[Moonshadow]

Precisely. I didn't mean to indicate that servers should have all their code and configs written by the admin in the machine code. I simply meant that the "candy" glossing and Microsoft "think for you"-ishness isn't needed on a server. Greater ease of use typically == less security. A server should be a machine that is HARDER to maintain because it is more configurable and secure.

Anyone who has used both Windows and Linux will probably agree with me - Linux is harder to use out of the box, but it's much more powerful, much more secure, and much more suited to an environment that will be under constant attack.

Re:Take control?

[1010011010]

the point he was making was the writing bade code shouldn't bring down the OS. don't be so damn defensive that you can't read the words in front of you.

You're right. My bad. Sorry, everyone! Sorry! Won't happen again...

Re:Don't Do That - my uni is telling me to do this

[cpeterso]

use strncpy() and strncat(). This functions let you specify that byte length of the destination buffer, so the function does not write past the end.

WARNING! strncpy() and strncat() are still dangerous. If the destination buffer is too small, the string in the destination buffer will NOT be null-terminated! So every time you call strncpy(), strncat(), or snprintf(), you should manually null-terminate the destination buffer just in case. For example:


char destBuffer[20];
strncpy(destBuffer, srcBuffer, 20);
destBuffer[19] = '\0'; // null-terminate the string just in case!!

Explanation of 14 platforms

[allanj]

The 14 platforms would be: ZX81, BBC B (huh?), Windows 3.1, Windows for Workgroups, Windows 95, Windows 98, Windows ME, Windows NT 3.51, Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition and Windows XP Pro Edition. And that's not even counting service packs!