Slashdot Mirror
Windows Vulnerable To 'Token Kidnapping' Attacks
cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."
It doesn't do anything useful.
So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.
Yep. It buggers up the prompt.
printf("hello, world\n"); /*is better*/
*This message was compiled with -pedantic.
I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...
See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.
I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".
And some quotes from the above link
"regularWindows users can’t exploit them"
"if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"
It's bad, but not *as* horribly bad as the title suggests.
A properly locked down Windows machine should have been mostly immune to this anyway.
I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.
Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.
Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
If you need citations for those things, then it's you who desperately needs the clue.
you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.
Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?
Ask me about repetitive DNA
Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.
I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf was published in the summer of 08.
Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as useful as trying to bail out the ocean with a teacup.
Their "authenticode" signatures are just an example of "security through obscurity" and have already been compromised. All of the other security fixes are nice, but they don't deal with the gaping wide holes that MS has built into their products. It doesn't matter how many buffer overflows you fix (they claimed they were all fixed - not so) or how you partition memory - when you give execute privileges to code downloaded from the web you're bypassing all of those "security" restrictions. Am I being clear enough here? Microsoft has built into their operating systems services and programs which download and execute code from the internet. Everything else is useless when you leave this door wide open.
Sure, all operating systems are subject to having their bugs be exploited. But it appears that Windows is the only one which has these "come screw me" doors wide open - can they be closed? By the average user? Sheesh.
You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.
You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.
It may not crash, but yes, its broken and buggy by my standards. You should probably not act like such a cocky fuck if you plan on doing any job interviews.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Yeah.
That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.
Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.
Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.
So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.