Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hot Potato Exploit Gives Attackers the Upper Hand On Multiple Windows Versions

Posted by timothy on from the here-you-take-it dept.

An anonymous reader writes: By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows. The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges. All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

4 of 127 comments (clear)

  1. Re:because in windows broken security is a feature by phantomfive · · Score: 4, Interesting

    Since when did MS seriously worry about compatibility between versions?

    They made a huge effort in Windows95. You can read about it here (though they've changed somewhat too). Quote:

    Raymond Chen writes, "I get particularly furious when people accuse Microsoft of maliciously breaking applications during OS upgrades. If any application failed to run on Windows 95, I took it as a personal failure. I spent many sleepless nights fixing bugs in third-party programs just so they could keep running on Windows 95."

    --
    "First they came for the slanderers and i said nothing."
  2. Re:RTFA by ledow · · Score: 5, Interesting

    Well, it assumes an awful lot. But I think they are saying they can, for example, spoof a ton of responses to any machine that MIGHT be about to connect to you, and thus gain some privilege escalation from that conversation. Quite how they get higher than the privileges assigned to the user making those requests isn't clear, but it sounds like it could be possible.

    But they even think SMB signing might defeat it, but haven't finished looking into that (which is suggestive that it does indeed defeat it, to be honest).

    The fake WPAD responses? I don't know about you, by my WPAD data is given out by my DHCP server, not by anything else, and I believe that overrides most things. It's then double-set by a GPO and a DNS entry too. You'd have be in my network faking DHCP or able to override GPO settings and that's quite a way past what you need to be able to attack me anyway (P.S. my network switches will go ape-shit and cut you off if you do that).

    They seem to be claiming that when something makes a request from the network for a WPAD query, they can fake every possible response until whatever was asking takes the FAKE response as genuine. That might well cause a machine to switch a proxy. But it would seem by that point to be already inside the network and able to do an awful lot worse damage anyway.

    "Extended Protection for Authentication" is the mitigation for "the last stage of the attack" (where they are already spoofing WPAD settings and intercepting all web access from the machine in question, and just attack NTLM authentication via that for services that still try to use NTLM and WPAD entries). That was introduced in XP and Vista, by the way. I think by that point, you're fucked anyway.

    I'm more interested in quite how something gets to do things like take up EVERY UDP socket on your system without otherwise cocking up and giving you tons of warnings elsewhere, and then manages to be in the line of fire for replying to a WPAD setting that's overridden by other browsers, by GPO, by DHCP settings, etc. and then use that to suddenly send all your requests to... yourself it looks like, and try to defeat NTLM auth.

    It seems like one of these "LOOK HOW DANGEROUS" attacks that, although technically they aren't lying when they say they've got it to work on all these things, requires a combination of circumstances so extraordinary that you're already fucked before they start sending a packet.

    The biggest problem I have? Minus some keywords that are pure filler in this article, there isn't a single mention of this that I can find anywhere else on a search engine. Literally, it's all regurgitated press releases with the same phrasing, ALL pointing to the same article. Yet it was supposedly released a while ago.

    And the only thing we can apparently do about it at the moment is enable an option that breaks shit and only combats the very last stage, where it's already game over and they get to choose from a myriad of services that might trigger an NTLM-authenticated HTTP connection using a given WPAD proxy (which I imagine can't be that hard to find in major pieces of software or other areas of Windows).

    Wait for a fix, or at least a decent analysis, but I wouldn't really go into a panic.

  3. Re:because in windows broken security is a feature by Scoth · · Score: 4, Interesting

    I'm going to stay away from ad hominem, because it's not useful, but you pretty clearly haven't done even a little bit of research into the problem. If you get that error running a DOS program, you're likely trying to run it on a 64-bit version of the OS. This is a well-known issue (if you even want to call it an issue, because it's advertised as such) and the compatibility modes are only for 32-bit Windows programs. If the rest of your 50 programs are also DOS, I'd expect as much.

    If you need to run a DOS application, and a VM isn't an option, use a 32-bit version of Windows 10. For funsies I found a copy of Lotus 1-2-3 (2.2, as it happens, because that was what I had handy. I don't expect 2.3 to run differently) and tried it on my 32-bit Windows 10 laptop and it ran fine. Even ran in a window.

    Drop me a line and I'll be happy to claim my bounty ;)

  4. Re: because in windows broken security is a featur by Scoth · · Score: 3, Interesting

    The main use I've found for it are for games that came out in that time between Direct3D and Windows 2000 that assume that Windows NT == No Direct3D and pop up a "This program doesn't support Windows NT" error. Setting them to Win95/98 compatibility mode make them work just fine. I can think of Viper Racing for one, and it helps Grand Prix Legends' graphics work better. On the other hand, Homeworld works better in NT 4.0 mode because it disables the slightly buggy-on-new-Windows DirectX and forces it into OpenGL mode, which works great.

    In more recent times I've had it help with a couple utilities and tweaks like Mute on Lock that break with Windows 7's (and Vista's?) updated audio engine.

    I can't think of too many things I've tried it on that haven't worked, really. Most of the complaints I've seen about it are people trying to run DOS or 16-bit Windows apps on 64-bit Windows, which isn't going to work no matter how many compatibility modes you try.