Slashdot Mirror
Hot Potato Exploit Gives Attackers the Upper Hand On Multiple Windows Versions
An anonymous reader writes: By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows. The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges. All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.
Mr. Potato Head has gone to dark side, becoming Hot Potato and joining forces with Evil Bernie and Evil Ernie to rule the world. One Windows machine at a time.
Thousands of slashdotters have a simultaneous joygasm.
I really feel sorry for those locked in to that OS, every day it seems there is a new problem with their security, and maybe MS should break backwards compatibility and fix that shit. While they are at it they can scrap the other crap added too, no one in their right mind will willingly use an OS that spies on them regardless if it helps MS see why things break. Anyway, it's not my problem I've been MS free for years
http://chimpbox.us
The last millennium ended Dec 31, 2000 - in my time zone.
>by patching them, the company would effectively break compatibility between the different versions of their operating system.
Since when did MS seriously worry about compatibility between versions? They're trying to force everyone onto W10 and who cares what breaks ... !
...that Windows needs to be compatible with software that relies on security holes.
At least that's what I take from this statement.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You can't get "root" from grub, the best you can do is boot the computer, ffs brain dead people, they should be all shot
http://chimpbox.us
Spinal Tap forever!
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Whatever you do, for the love of god, don't give us a broad outline of attack vectors, who might be vulnerable, or attack mitigation practices.
They put a lot of effort into backwards compatibility in each version. They've been known to create "shims" to duplicate previous undocumented/buggy behavior that a particular app depends on that get loaded for just that app, because they know that if you update windows and your app stops working, it's not the app using unsupported functionality that's gonna get blamed.
NVM, it's me that should be shot, I read the above as a statement and not a question, and the answer is no, you can't remote to grub(2) so no back spacing, just to note that it was patched before it even made headlines, all you could do is boot a pc and you had to be local, of course from local grub(2) you can gain root by just adding a "1" to the boot stanza and get single user mode. same as safe mode on windows, and you have to be sitting at the pc to be able to do it. As we all know if you get physical access to any PC it's game over.
http://chimpbox.us
Since when did MS seriously worry about compatibility between versions?
They made a huge effort in Windows95. You can read about it here (though they've changed somewhat too). Quote:
Raymond Chen writes, "I get particularly furious when people accuse Microsoft of maliciously breaking applications during OS upgrades. If any application failed to run on Windows 95, I took it as a personal failure. I spent many sleepless nights fixing bugs in third-party programs just so they could keep running on Windows 95."
"First they came for the slanderers and i said nothing."
They put a lot of effort into backwards compatibility in each version.
That's an urban legend. When I worked there, I didn't hear of any effort at all made for backwards compatibility, except for a few tools we used internally. We just didn't give a damn about it, and that's why Windows is so horrific at it.
For example, the company I work for now uses 29 pieces of official software, and 26 of them have at least minor problems on Windows 7 or newer. They all work fine on Vista, so we're stuck with Vista. We've even offered a bounty* for anyone that can get Lotus 2.3 to run. On Windows 10, when you run 123.EXE, it displays the message "This app can't run on your PC." Even right clicking on the file in Exploder, Properties, Compatibility tab, Compatibility Mode then Windows 95 doesn't help. That option doesn't seem to do anything on the ~50 different programs I've tried it on. Microsoft doesn't give a damn about backwards compatibility.
* We have six hundred thousand legal documents in Lotus that we can't convert to other formats because there's just too much paging and formatting problems. OpenOffice is damn good, but it isn't perfect. Obviously with that many files and with having to run Vista or older on all of our computers means we're willing to pay quite a stiff bounty to anyone that can help us solve this Microsoft-created problem without resorting to running a vm.
DOS ain't done 'till Lotus won't run.
I've had several applications work by setting a compatibility mode. Ha! My anecdote beats your anecdote! Take that!
Microsoft doesn't give a damn about backwards compatibility.
No doubt that's why we can still use the same API calls sixteen years later...
Hot Potato Exploit
Name me one potato exploit that isn't hot.
systemd is Roko's Basilisk.
"All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system".
Because that is far more important than security.
"Windows, The Compatible Family: All Members Are Equally Vulnerable - And In The Same Way!!!"
I am sure that there are many other solipsists out there.
They put a lot of effort into press releases, brochures and presentations about backwards compatibility in each version.
FTFY.
I am sure that there are many other solipsists out there.
I've had several applications work by setting a compatibility mode. Ha! My anecdote beats your anecdote! Take that!
So you think it works because it worked a few times while it didn't work hundreds of times for someone else? Do you work QA for Microsoft?
Q: Since when did abattoirs care about inducing stress in doomed cattle walking the ramp?
A: Ever since Temple Grandin showed them it was the easiest way to get the cattle to enter the building with the least effort in the most desirable condition.
I've been following Microsoft since forever.
True story: I went to a local homebrew meeting in the late seventies (I live on the Canadian side of the Pacific Northwest) and people were muttering already (during an especially boring presentation) about this kid in Seattle who had already made himself a MILLION dollars.
Bill, being somewhat autistic himself, fully understood everything Grandin knows about cattle from day one.
Microsoft has devoted more gut-busting work behind the scenes into greasing the skids of eternal lock-in than any other computer company that has ever existed.
The problem they create for themselves in this regard is almost impossible to truly fathom. The "choke off the competitive air supply" side of their business model means rushing into every burgeoning market with the shallowest piece of shit that ticks boxes. How they even manage to back-fill these products to the state of "almost works" lies well beyond my technical comprehension.
Make no mistake about it, Microsoft is the gemstone-encrusted Swiss watchmaker of the polished turd.
The reason Microsoft talks about "innovation" until they are blue in the face is because they really don't want to talk in public about the technically daunting process by which their sausage is actually made.
Well, it assumes an awful lot. But I think they are saying they can, for example, spoof a ton of responses to any machine that MIGHT be about to connect to you, and thus gain some privilege escalation from that conversation. Quite how they get higher than the privileges assigned to the user making those requests isn't clear, but it sounds like it could be possible.
But they even think SMB signing might defeat it, but haven't finished looking into that (which is suggestive that it does indeed defeat it, to be honest).
The fake WPAD responses? I don't know about you, by my WPAD data is given out by my DHCP server, not by anything else, and I believe that overrides most things. It's then double-set by a GPO and a DNS entry too. You'd have be in my network faking DHCP or able to override GPO settings and that's quite a way past what you need to be able to attack me anyway (P.S. my network switches will go ape-shit and cut you off if you do that).
They seem to be claiming that when something makes a request from the network for a WPAD query, they can fake every possible response until whatever was asking takes the FAKE response as genuine. That might well cause a machine to switch a proxy. But it would seem by that point to be already inside the network and able to do an awful lot worse damage anyway.
"Extended Protection for Authentication" is the mitigation for "the last stage of the attack" (where they are already spoofing WPAD settings and intercepting all web access from the machine in question, and just attack NTLM authentication via that for services that still try to use NTLM and WPAD entries). That was introduced in XP and Vista, by the way. I think by that point, you're fucked anyway.
I'm more interested in quite how something gets to do things like take up EVERY UDP socket on your system without otherwise cocking up and giving you tons of warnings elsewhere, and then manages to be in the line of fire for replying to a WPAD setting that's overridden by other browsers, by GPO, by DHCP settings, etc. and then use that to suddenly send all your requests to... yourself it looks like, and try to defeat NTLM auth.
It seems like one of these "LOOK HOW DANGEROUS" attacks that, although technically they aren't lying when they say they've got it to work on all these things, requires a combination of circumstances so extraordinary that you're already fucked before they start sending a packet.
The biggest problem I have? Minus some keywords that are pure filler in this article, there isn't a single mention of this that I can find anywhere else on a search engine. Literally, it's all regurgitated press releases with the same phrasing, ALL pointing to the same article. Yet it was supposedly released a while ago.
And the only thing we can apparently do about it at the moment is enable an option that breaks shit and only combats the very last stage, where it's already game over and they get to choose from a myriad of services that might trigger an NTLM-authenticated HTTP connection using a given WPAD proxy (which I imagine can't be that hard to find in major pieces of software or other areas of Windows).
Wait for a fix, or at least a decent analysis, but I wouldn't really go into a panic.
If it didn't give you admin access in safe mode, how would you fix it? regardless if you're at the pc physically it doesn't matter
http://chimpbox.us
Yes, it is worth remembering that the entire reason Microsoft included backwards compatibility was because users demanded it.
The reason OS/2 failed is because it didn't include backwards compatibility, despite being a better operating system.
"First they came for the slanderers and i said nothing."
Had to go back 20 years to find an example so the point stands.
And yet the only actual counter-example that has been given by anybody so far is Lotus 1-2-3 version 2.3, which predates Windows 95 by four years.
I still run a 32-bit Windows 7 system as a games PC so I can run old games. I have been amazed to find games from Windows 95 era work, and been blown away when I found some old Windows 3.1 programs and tried them for a laugh only to find that they too worked.
Of course, these wouldn't work on a 64-bit version of Windows, since they lost the ability to run 16-bit applications. But I don't think that you can say that they are not serious about backwards compatibility simply because they no longer run programs from 2 decades ago.
You can still easily find lots of programs that no longer work, but who is to say that this is just sloppy work from Microsoft instead of the programs themselves doing something that was outside the official documentation, or just stupid things like self-modifying code or programs that assume they have administrator-level access to resources.
For more modern examples of backwards compatibility features in Windows, how about Vista's *File and Registry Virtualization*, which, for example, redirects file writes under Program Files to the users "AppData\Local\VirtualStore\Program Files" folder so old programs that blindly write config and log files alongside their programs will still work. Then there is the ever-growing WinSxS folder full of old versions of DLLs to maintain backwards compatibility. Windows 7 did away with some of the old cruft by making single DLLs that responded to multiple versions.
With all that going on in different versions, it makes me wonder about the truthfulness of the Anonymous Cowards who supposedly worked at Microsoft and who have been claiming that they had never heard backwards compatibility being mentioned there.
That's an urban legend. When I worked there,
You are using appeal to authority and you are not doing a very good job at it.
CD C:\windows\WinSxS
Dir *CRT*
That whole directory is *designed* for backwards compat. If you fire up windows 7 and fully patched you can see no less than 3 full copies of media player.
To get 123.exe to work on windows 10 will take a bit of work and a bit of copying. You need the old DLLs and a manifest. You will need something like dependency walker and something like process explorer. Use that on the old copy of vista. Then write down which DLLs are running there. Then copy them to the same directory as 123.exe. The method that loads up DLLs looks to the local dir first then to the path. In the background the winsxs is tricking your app into running other things from the path. Your welcome go claim your bounty.
Microsoft doesn't give a damn about backwards compatibility.
That could be more true now. But https://blogs.msdn.microsoft.c... where he talks about security ABOVE backwards compat.
Win10 does seem to be missing lots of the older DLLs. That is a *good* thing. But the older DLLs do work. It is going to take a bit more work though.
I'm going to stay away from ad hominem, because it's not useful, but you pretty clearly haven't done even a little bit of research into the problem. If you get that error running a DOS program, you're likely trying to run it on a 64-bit version of the OS. This is a well-known issue (if you even want to call it an issue, because it's advertised as such) and the compatibility modes are only for 32-bit Windows programs. If the rest of your 50 programs are also DOS, I'd expect as much.
If you need to run a DOS application, and a VM isn't an option, use a 32-bit version of Windows 10. For funsies I found a copy of Lotus 1-2-3 (2.2, as it happens, because that was what I had handy. I don't expect 2.3 to run differently) and tried it on my 32-bit Windows 10 laptop and it ran fine. Even ran in a window.
Drop me a line and I'll be happy to claim my bounty ;)
So it sounds like you didn't work in the app compat group. MS is a big beast of an organization so it's forgivable to not know everything. They do have an entire group devoted to this. That's what the whole compatibility mode is for.
The main use I've found for it are for games that came out in that time between Direct3D and Windows 2000 that assume that Windows NT == No Direct3D and pop up a "This program doesn't support Windows NT" error. Setting them to Win95/98 compatibility mode make them work just fine. I can think of Viper Racing for one, and it helps Grand Prix Legends' graphics work better. On the other hand, Homeworld works better in NT 4.0 mode because it disables the slightly buggy-on-new-Windows DirectX and forces it into OpenGL mode, which works great.
In more recent times I've had it help with a couple utilities and tweaks like Mute on Lock that break with Windows 7's (and Vista's?) updated audio engine.
I can't think of too many things I've tried it on that haven't worked, really. Most of the complaints I've seen about it are people trying to run DOS or 16-bit Windows apps on 64-bit Windows, which isn't going to work no matter how many compatibility modes you try.
With all that going on in different versions, it makes me wonder about the truthfulness of the Anonymous Cowards who supposedly worked at Microsoft and who have been claiming that they had never heard backwards compatibility being mentioned there.
There's an AC who's been posting here for a while who somehow seems to be an expert on every subject. If it's a story about medicine, he says "I'm a doctor and...." If it's a story about law, he says, "I'm a lawyer and....." If it's a story about child abuse, he says, "I was abused as a child and....." But if you read the post carefully, there are frequently mistakes that draw the claims into question.....
"First they came for the slanderers and i said nothing."
@anonymous Coward: "Linus Torvalds has repeatedly said he doesn't give a SHIT about security. Say what you want about Windows, but at least Microsoft cares about the security of their products. What kind of a loser still uses Linux given their lax attitude to their own customers? ref
Dear Mr. Anonymous Troll, do you have any verifiable citation to support your typings?
really? Lotus 1-2-3 2.2 runs fine in dosemu on Linux - earlier versions had copy protection on disk and won't run without hardware but 2.2 onward should run without copy protection
pay bounty money to get someone to port spreadsheet to 21st century...!
That's an urban legend. When I worked there, I didn't hear of any effort at all made for backwards compatibility, except for a few tools we used internally. We just didn't give a damn about it, and that's why Windows is so horrific at it.
I guess the former co-worker that previously wrote shims at MS all the way up until she left there in 2012 was all in my imagination, then.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Windows safe mode gives you the same login options as a regular boot, just with minimal stuff loaded. On some versions (XP at least; I don't feel like rebooting my WIn7 box to check it) you'll also have the normally-hidden Administrator account visible. This can be a problem for computers on domains - if you boot in pure safe mode and have a domain admin, getting logged in can be problematic. This is where Safe Mode with Network Support comes in handy.
Gotcha, I should have remembered that, it's been a long time :D
http://chimpbox.us
I can tell you I couldn't use 2008 "legacy" API calls in 2008R2, so I call bullshit.
The cesspool just got a check and balance.
Bill didn't care about backwards compatibility, or rather, he cared that things weren't backwards compatible at all. See Office95's release and complete lack of interoperation between previous versions across all platforms, including windows. Yep, backwards compatibility indeed.
The cesspool just got a check and balance.
Funny. Windows 95 drivers that refused to install due to an OS version check in the installer worked perfectly fine after switching compatibility mode on... and Win7 having a WinXP virtual machine seamlessly built in ... but I guess your one instance means they don't care at all.
Score one more for MS
Linus did say that security is not the end-all be-all of Linux.
"Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about."
Which is not to say that it's insecure; given that it runs on more devices than any other OS, any exploits would be huge. I'm not really sure how Windows security measures up these days, but I get the impression that the typical Windows install has a greater amount of exposed moving parts.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
For all those idiot shit-faces moderating this Informative, try reading "The Old New Thing" blog by Raymond Chen. He actually works for MS, and he details many instances of Windows backwards compatibility work.
Thanks for filling the previous poster in, but that rather highlights a real problem: Because this is where Windows really shines - messages that don't give you a hint about how to proceed, where to find more information, which program even posted the message or wants permission, or posting notices underneath windows, unseen.
That's an urban legend.
There was a code leak from Windows about 5 years ago that was very heavily analysed. Among the discoveries was that the coding style was very neat and convention quite good, comments were average, but among the leak were several such "urban legends" intended to ensure a software update kept certain programs working, one of them even called out a specific Symantec product in the comments.
messages that don't give you a hint about how to proceed
The modern message does.
This app can't run on your PC
To find a version for your PC, check with the software publisher
Which is quite accurate. It won't even run in that configuration so the obvious answer is to check with the maker of the software and find a version that does work, not changing the OS. A more verbose error message describing the bits of the software and the bits of the OS is not going to be of any use to 99.999% of windows users out there.
Windows 7 actually had a very VERY long error message complete with information about the 32bit or 64bit version and asked users to check their System Information whatever the heck that is ... It's too hard. "Your software is ancient talk to the vendor" is the appropriate response. It's up to the vendor to answer those kinds of questions.
Lotus 2.3 is old. Really, really old. As in 1991 old. We are talking about the DOS version, right? Didn't Lotus go straight to version 4 on Windows? I don't remember exactly... I never worked in a Lotus shop. There are versions released for windows into the 2000's, with support ending a couple of years ago. I'm going to go out on a limb and ask if you've tried updating to those versions? In theory you could chain together a series of format conversions to get to a modern spreadsheet - like Excel or Open Office.
Alternately, running dedicated instances under VMware to get app-specific backward compatibility might work.
Sticking with 25 year old versions of software for mission critical applications sounds like a really, really bad idea. I'd say that paying to fix up any formatting problems every time you need to touch one is a better option than keeping around Vista for your entire network. Or failing that, setting up a dedicated box (or boxes) for people to remote into whenever they need one of the offending docs. Allowing people to open, update and save changes in a 25 year old version of Lotus just feels like a huge mistake. "Resorting to running a VM" isn't that big of a deal. Certainly not nearly as big of a deal as keeping an entire company locked into an obsolete version of the OS for .... well, I was going to put "forever", but realistically it should be "until the inevitable crash that either forces a painful and expensive upgrade or bankrupts the company".
I don't envy you the task. It sounds very much like an old circus act keeping a bunch of plates spinning.
Lotus 1-2-3 2.x is a DOS application. There're no DLLs, manifests, etc except for NTVDM, which as we already know doesn't exist in the 64-bit Windows world and as far as I know no one has hacked in. It'll need to be run either in a VM (whether a "light" one like dosbos or a full one like VirtualBox or VPC) or on a 32-bit version of Windows, where it'll run just fine as-is.
This is a tough balance to find, and one you often see Slashdotters (such as the post below this currently) erring on the wrong side because we like verbose error messages that tell us exactly how to fix things. Whether we like it or not, computers are used by far more Joe Users than geeks, and being told to check system information because they may need x86 or x64 is only going to lead to the "Computers are hard, I'll never figure them out" thought. I've seen a lot of discussion on oldnewthing and similar about whether an operating system should have an "advanced mode" that includes more detailed errors and such, but in general the risk of someone who shouldn't be in there getting it turned on is deemed a risk.
I don't claim to be a UI designer, so I don't really have a solution. My attempts at little webapps and things for work have mostly been middlin' at best, interface wise :)
https://support.microsoft.com/...
The cesspool just got a check and balance.
...still runs on Win10 (32bits), I tested an application from 1993, it works fine, I must say this is impressive ;)
"Science will win because it works." - Stephen Hawking
If you haven't tried already, use a 32-bit version of Windows 7 or Windows 10. It's likely that "123.exe" is a 16-bit application. Alternatively, with Windows 7 you could use XP Mode; its integration feature allows you to create a desktop icon in the host OS. Downside to XP Mode is it's per-user set up and it isn't available in Windows 8 and later. Another option is DOSBOX.