Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

Something is Fishy

[ThinkFr33ly]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

Re:Something is Fishy

[benjymouse]

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

Re:Something is Fishy

[Kalriath]

Except that... get this... FLASH HAS A BROKER PROCESS. Protected mode cannot stop Flash doing stupid stuff because Adobe in their infinite wisdom decided they really needed that unfettered system access and created a Flash Broker. And to top it off, the Flash installer adds the Flash Broker as a "Don't prompt me again for allowing this application outside protected mode to be called" program.

I don't even know why Microsoft bothers trying to secure stuff when morons like Adobe just go and fuck it up.

Re:Something is Fishy

[spisska]

Are you suggesting that software bugs are in some way a phenomenon unique to Microsoft ?

Not at all. What I'm suggesting is that when someone says that X is not possible because it isn't supposed to happen, it doesn't mean that it can't happen or won't happen. The Titanic was supposed to be unsinkable. AACS was supposed to be unbreakable. The four-minute mile was supposed to be unachievable.

I'm not foolish enough to claim that *nix cannot be rooted or cracked. Just that because of its design it is inherently more secure and more difficult to crack than a system that still allows apps to run in rootspace.

What "baggage" ?

The baggage of supporting legacy apps that require(d) administrator access. Because Windows had been designed for so long to be run by a single user-administrator, there are plenty of apps that simply won't run without admin-level privileges.

No, it addresses the same problem that exists on all multiuser OSes, which is why all multiuser OSes address it (with varying degrees of user friendliness). Windows "compartmentalises users" at least as well as other platforms (and possibly better, depending on exactly what those OSes are, due to extensive use of ACLs and the lack of a superuser).

Not exactly. When an OS is designed from the ground up as a multiuser system (such as *nix), it is very easy to restrict access to system resources. If I want to install a piece of software on Linux, for example, I cannot make the installation system-wide (by writing to /usr/bin, for example) without admin privileges. I cannot install libraries to /lib, /usr/lib, etc. I cannot write settings to /etc. Even when installed and executed, that program will only have a restricted set of rights based on the user/group that executes it. I can, however, compile and run executables as a user without needing admin access and without write access to system files and/or directories. I can put whatever libraries, modules, settings etc are required in my home directory without needing access to restricted areas.

Yes, I do run the risk of hosing my /home/user directory and everything inside of it, but I cannot touch any other user's files, and cannot touch system files.

Windows, on the other hand, has a hybrid model where a multi user model is tacked onto a single user-admin model, or rather support for a single user-admin model is bolted onto a basic multiuser model. Basic, because a true multi-user system would never have a single repository for all settings, like the Windows registry.

Your logic is worthless.

Please explain.

You are saying that because an (apparently ignorant) Exchange Administrator misconfigured her server, there might be bugs in Windows.

No. What I'm saying is that the my sysadmin's argument is very similar to the OP's argument. The OP said that because IE7 isn't supposed to allow a system level exploit via something like Flash, then therefore it isn't possible. My sysadmin said that because she configured Exchange to block autoforwarding to public webmail then it isn't possible. It is clearly possible to to autoforward my mail to gmail, and I did it and showed her to prove a point. She seems to think I manually forwarded the messages and somehow spoofed the reply-to field, and that autoforwarding is impossible because it shouldn't happen.

It's the same point I'm making now, and am running out of ways to say: Just because something shouldn't happen doesn't mean it won't or can't.

More on topic, if an app has elevated rights, then exploiting a vulnerability in that app will give the exploit/exploiter elevated rights. There are very few apps on *nix (none that I can think of) that run or need to run with elevated rights. There are a lot of apps on Windows that expect to have admin rights, regardless of whether or not such access is needed. This is why the problem is structural, and why I used the example of the incomplete wall.

Re:Hey!

[calebt3]

I don't see why the test includes third party software. Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Re:Newsworthy?

[kripkenstein]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars. Hmm, I disagree.

First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).