Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vulnerable To 'Token Kidnapping' Attacks

Posted by timothy on from the token-of-my-affection dept.

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

8 of 126 comments (clear)

  1. Yes by XanC · · Score: 5, Insightful

    It doesn't do anything useful.

    1. Re:Yes by davester666 · · Score: 5, Insightful

      Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

      Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Re:About Software by Anonymous Coward · · Score: 5, Insightful

    Yep. It buggers up the prompt.

      printf("hello, world\n"); /*is better*/

    *This message was compiled with -pedantic.

  3. Re:About Software by ckdake · · Score: 5, Insightful

    I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

  4. Re:Apple replies by Bengie · · Score: 3, Insightful

    I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

    And some quotes from the above link

    "regularWindows users can’t exploit them"

    "if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

    It's bad, but not *as* horribly bad as the title suggests.

    A properly locked down Windows machine should have been mostly immune to this anyway.

    I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

  5. Re:"... by any user with impersonation rights." by toadlife · · Score: 3, Insightful

    Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  6. Re:About Software by buanzo · · Score: 3, Insightful

    You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

    --
    Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
  7. Re:About Software by gringer · · Score: 3, Insightful

    you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

    Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

    --
    Ask me about repetitive DNA