Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vulnerable To 'Token Kidnapping' Attacks

Posted by timothy on from the token-of-my-affection dept.

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

37 of 126 comments (clear)

  1. Re:About Software by iammani · · Score: 4, Interesting

    Really? Can you find a bug in this...

    #include <stdio.h>
    int main()
    {
            printf("hello, world");
            return 0;
    }

  2. Yes by XanC · · Score: 5, Insightful

    It doesn't do anything useful.

    1. Re:Yes by Windwraith · · Score: 4, Funny

      No, but it's polite, it's greeting the world. You are so insensitive!

    2. Re:Yes by pspahn · · Score: 2, Insightful

      Demonstrating "hello world" is useful to someone new to programming.

      --
      Someone flopped a steamer in the gene pool.
    3. Re:Yes by Anonymous Coward · · Score: 2, Interesting

      This is completely correct. A bug isn't simply a coding error but a design error. Programming takes an abstract concept and makes it concrete in a formal language. This involves filling in all the details -- which is quite a lot more than non-programmers think. How should the program behave if it runs out of resources, user inputs incorrect information, external system provides incorrect information, operating system error, what should the performance characteristics be, details of statecharts and sequences, security and many more details that I have missed. All of these require trade offs that also require engineering time. Omitting important factors is just as bad, sometimes worse, and a lot more prevalent, than coding errors.

      In general, users don't care if a feature doesn't work because of a programming mistake or because it isn't implemented. If a feature doesn't work, they are both the same.

    4. Re:Yes by davester666 · · Score: 5, Insightful

      Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

      Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

      --
      Sleep your way to a whiter smile...date a dentist!
  3. Windows Vulnerable To 'Token Kidnapping' Attacks by omar.sahal · · Score: 2, Insightful

    if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

    So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

    • win 95, usability of GUI
    • win xp, stability of software, less crashes
    • xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
    • windows 7, all the above and smaller foot print when installed
  4. Re:About Software by Anonymous Coward · · Score: 5, Insightful

    Yep. It buggers up the prompt.

      printf("hello, world\n"); /*is better*/

    *This message was compiled with -pedantic.

  5. Re:About Software by Post-O-Matron · · Score: 2

    You forgot the exclamation mark.

  6. Re:About Software by ckdake · · Score: 5, Insightful

    I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

  7. Re:Apple replies by $RANDOMLUSER · · Score: 3, Funny

    Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  8. "... by any user with impersonation rights." by n0-0p · · Score: 4, Informative

    That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

    So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

    1. Re:"... by any user with impersonation rights." by toadlife · · Score: 3, Insightful

      Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    2. Re:"... by any user with impersonation rights." by Anonymous Coward · · Score: 2, Informative

      if you run IIS you may as well just post your admin password and social security number on your homepage

      Really? Try a little comparison exercise:
      IIS6: http://secunia.com/advisories/product/1438/
      IIS7: http://secunia.com/advisories/product/17543/
      Apache 2.2.x: http://secunia.com/advisories/product/9633/

      In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19

    3. Re:"... by any user with impersonation rights." by TheLink · · Score: 2, Insightful

      Yeah.

      That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

      Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.

      --
  9. Re:About Software by Lord+Juan · · Score: 2, Funny

    Really? Can you find a bug in this...

      #include <stdio.h>
      int main()
      {
            printf("hello, world");
            return 0;
      }

    But Microsoft did not write that routine, had they done it, it would read something like:

    #include <stdio.h>
      int main()
      {
            printf("hello, world");
            get_administrative_privileges();
            collapse_system();
            return 0;
      }

  10. Re:Apple replies by Blink+Tag · · Score: 3, Informative

    Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

  11. Re:Apple replies by bsDaemon · · Score: 2, Insightful

    See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

  12. Re:About Software by DAldredge · · Score: 5, Funny

    You aren't checking the the return status of printf.

  13. Re:Apple replies by Bengie · · Score: 3, Insightful

    I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

    And some quotes from the above link

    "regularWindows users can’t exploit them"

    "if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

    It's bad, but not *as* horribly bad as the title suggests.

    A properly locked down Windows machine should have been mostly immune to this anyway.

    I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

  14. Re:Apple replies by $RANDOMLUSER · · Score: 2, Funny

    Windows has shown it will let ANYBODY fuck it. Low self-esteem and all.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  15. Re:About Software by buanzo · · Score: 3, Insightful

    You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

    --
    Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
  16. Re:About Software by greg_barton · · Score: 4, Interesting

    Considering I once performed a security audit and found that the lead developer for the client had rewritten printf so it had damaging side effects...yes...

  17. Re:About Software by gringer · · Score: 3, Insightful

    you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

    Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

    --
    Ask me about repetitive DNA
  18. Re:About Software by rudy_wayne · · Score: 2, Funny

    Really? Can you find a bug in this...

    #include
    int main()
    {
                    printf("hello, world");
                    return 0;
    }

    Yes. You left out goatse.cx

  19. optimistic by Twillerror · · Score: 4, Informative

    Lately the security bugs I've seen are making me feel good.

    Sounds weird I know, but it just seems like they are getting more and more bizarre.

    Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

    Where will be in 5 years...probably in a relatively safe world.

    I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

    When was the last major worm anyways?

  20. Old News by dzr0001 · · Score: 2, Insightful

    I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf was published in the summer of 08.

  21. Re:About Software by FrangoAssado · · Score: 2, Informative

    The file inclusion is done at compile time. Presumably, whoever is compiling the code has a good system (otherwise, the possibilities much worse that what you describe: the compiler might be hacked, for example).

    Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include). This means that, if whoever compiles the code is being attacked this way, their system is already compromised.

  22. Re:Apple replies by Kaboom13 · · Score: 2, Informative

    Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference is there's a larger pool of people with jobs as windows administrators without the skills and knowledge to back it up. As linux becomes ever more popular, expect to see the same thing to happen to it.

  23. Re:Apple replies by drsmithy · · Score: 2, Informative

    I still love how *nix naturally allows individual services to run under different users [...]

    There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.

  24. Re:About Software by BitZtream · · Score: 2, Insightful

    You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

    You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.

    It may not crash, but yes, its broken and buggy by my standards. You should probably not act like such a cocky fuck if you plan on doing any job interviews.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  25. Re:Apple replies by TheRaven64 · · Score: 2, Interesting

    You also don't have to go back too far to find a time when the phrase 'UNIX security' had the same sorts of connotations as 'military intelligence'. People who used systems like VMS laughed at it, as a concept. Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS. Security, in most cases, is a usability problem. It's easy to make a secure system. It's hard to make a usable system. It's much harder to make a secure, usable, system.

    --
    I am TheRaven on Soylent News
  26. Re:About Software by TheLink · · Score: 2, Interesting

    Seriously though, what are you going to do if printf fails? Log to a file? What if that fails? Log an error message to syslog? Then what if that fails too?

    At a certain point of time it's a waste of time and resource to add extra checks.

    In this case the target user would likely notice if printf fails to produce output and deal with it accordingly.

    If printf produces output and still fails for some strange reason, the user is unlikely to care.

    A professional way is to document it. "NOTE: in some cases printf may fail and the program not produce the desired output", buy the customer dinner and get them to sign off on everything.

    --
  27. Re:Apple replies by Rubinstien · · Score: 2, Interesting

    Thank you for your, as usual, rational observation.

    Unix-derived OS's are only recently gaining proper fine-grained security controls, and most are still hacks, IMHO. Newer Linux has "capabilities" that allows one to mark a binary as allowed to use certain privileges, such as CAP_NET_BIND_SERVICE, but this can't be used with *scripts* due to the fact that it is the *interpreter* that would need the privilege (*bad* idea to always give it to the interpreter). Solaris 10 has user privileges such as net_privaddr, which is closer to the VMS way, but in my experience it is easier to get a customer to install a script that starts the web server as root than it is to get them to create a user for that specific purpose and type 'usermod -K defaultpriv=basic,net_privaddr webservd'. Often the customer admin'ing the box is just the most-technically-competent user, with the job dumped into his lap, rather than a "real" admin who understands that job. He's OK with things he's been asked to do before, and suspicious of anything he's never seen or does not understand. It's even difficult to get other developers to understand half of this stuff (tried unsuccessfully with ACL's a while back, for example, and they interact poorly enough with "standard" Unix file security to frustrate people with 30+ years Unix experience).

    The other issue is a complete lack of consistency between Unix variants on how any of this stuff is enabled, configured, managed, or audited. Unless you have a lot of programming and testing resources at your disposal, developers need to limit themselves to those things they can rely on having as "standard" across the platforms supported. The company I work for supports 3 Unix variants, and tests on more than that. Even something as simple as querying directory services is a cross-platform mess, and security-related issues are a whole new weed patch. Of course, VMS did not have this issue to deal with, but that OS is at least consistent from top to bottom. Anytime I have to do anything security-related on Unix I cringe and wish I was working with VMS again (when will Unix get installed images? http://hoffmanlabs.org/vmsfaq/vmsfaq_007.html [AIX almost has this -- equivalent to /SHAREABLE] ).

    Even VMS is not invulnerable. The last exploit I know of was verified in 2008.

  28. Re:Apple replies by Jaime2 · · Score: 2, Insightful

    Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

    So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.

  29. Re:Apple replies by shutdown+-p+now · · Score: 2, Informative

    Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits.

    ActiveX - ever heard of .xpi? Yeah, that pops up a prompt when you install it; so does ActiveX. And .xpi can contain native code (which many people don't even realize).

    Windows Media does not "download code from the web". It's just a browser plugin, like MPlayer or VLC pugins.

    Unless what you mean is that it can download codecs from the Net from a central repository (after popping up a confirmation dialog) - which e.g. Rhythmbox and Totem also do in Ubuntu, though those go through the centralized package system.

    Windows Update - it's identical to a package management system in any Linux distro, except that it's bare-bones and for MS products only. In terms of "downloading code from the web", its attack surface is exactly the same - code comes from a centralized server.

  30. Re:Apple replies by Jaime2 · · Score: 2, Informative

    SQL only runs as SYSTEM if you change the service account settings during install (in other words, not by default). Shell commands are not available unless the server is specifically configured for them using the "Surface Area Configuration Tool". Running as SYSTEM by default was fixed fourteen years ago and xp_cmdshell was disabled by default five years ago.

    IIS improved seven years ago, not recently. Regardless of the reason for improvement, it did improve. IIS 6 and 7 both have excellent security records and both have a sound architecture.

    Microsoft's far from perfect, but you've been holding a grudge for fourteen years. Did they eat your children?