Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vulnerable To 'Token Kidnapping' Attacks

Posted by timothy on from the token-of-my-affection dept.

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

16 of 126 comments (clear)

  1. Re:About Software by iammani · · Score: 4, Interesting

    Really? Can you find a bug in this...

    #include <stdio.h>
    int main()
    {
            printf("hello, world");
            return 0;
    }

  2. Yes by XanC · · Score: 5, Insightful

    It doesn't do anything useful.

    1. Re:Yes by Windwraith · · Score: 4, Funny

      No, but it's polite, it's greeting the world. You are so insensitive!

    2. Re:Yes by davester666 · · Score: 5, Insightful

      Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

      Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

      --
      Sleep your way to a whiter smile...date a dentist!
  3. Re:About Software by Anonymous Coward · · Score: 5, Insightful

    Yep. It buggers up the prompt.

      printf("hello, world\n"); /*is better*/

    *This message was compiled with -pedantic.

  4. Re:About Software by ckdake · · Score: 5, Insightful

    I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

  5. Re:Apple replies by $RANDOMLUSER · · Score: 3, Funny

    Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  6. "... by any user with impersonation rights." by n0-0p · · Score: 4, Informative

    That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

    So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

    1. Re:"... by any user with impersonation rights." by toadlife · · Score: 3, Insightful

      Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  7. Re:Apple replies by Blink+Tag · · Score: 3, Informative

    Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

  8. Re:About Software by DAldredge · · Score: 5, Funny

    You aren't checking the the return status of printf.

  9. Re:Apple replies by Bengie · · Score: 3, Insightful

    I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

    And some quotes from the above link

    "regularWindows users can’t exploit them"

    "if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

    It's bad, but not *as* horribly bad as the title suggests.

    A properly locked down Windows machine should have been mostly immune to this anyway.

    I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

  10. Re:About Software by buanzo · · Score: 3, Insightful

    You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

    --
    Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
  11. Re:About Software by greg_barton · · Score: 4, Interesting

    Considering I once performed a security audit and found that the lead developer for the client had rewritten printf so it had damaging side effects...yes...

  12. Re:About Software by gringer · · Score: 3, Insightful

    you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

    Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

    --
    Ask me about repetitive DNA
  13. optimistic by Twillerror · · Score: 4, Informative

    Lately the security bugs I've seen are making me feel good.

    Sounds weird I know, but it just seems like they are getting more and more bizarre.

    Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

    Where will be in 5 years...probably in a relatively safe world.

    I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

    When was the last major worm anyways?