Slashdot Mirror
Hot Potato Exploit Gives Attackers the Upper Hand On Multiple Windows Versions
An anonymous reader writes: By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows. The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges. All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.
Mr. Potato Head has gone to dark side, becoming Hot Potato and joining forces with Evil Bernie and Evil Ernie to rule the world. One Windows machine at a time.
>by patching them, the company would effectively break compatibility between the different versions of their operating system.
Since when did MS seriously worry about compatibility between versions? They're trying to force everyone onto W10 and who cares what breaks ... !
Whatever you do, for the love of god, don't give us a broad outline of attack vectors, who might be vulnerable, or attack mitigation practices.
They put a lot of effort into backwards compatibility in each version. They've been known to create "shims" to duplicate previous undocumented/buggy behavior that a particular app depends on that get loaded for just that app, because they know that if you update windows and your app stops working, it's not the app using unsupported functionality that's gonna get blamed.
Since when did MS seriously worry about compatibility between versions?
They made a huge effort in Windows95. You can read about it here (though they've changed somewhat too). Quote:
Raymond Chen writes, "I get particularly furious when people accuse Microsoft of maliciously breaking applications during OS upgrades. If any application failed to run on Windows 95, I took it as a personal failure. I spent many sleepless nights fixing bugs in third-party programs just so they could keep running on Windows 95."
"First they came for the slanderers and i said nothing."
They put a lot of effort into backwards compatibility in each version.
That's an urban legend. When I worked there, I didn't hear of any effort at all made for backwards compatibility, except for a few tools we used internally. We just didn't give a damn about it, and that's why Windows is so horrific at it.
For example, the company I work for now uses 29 pieces of official software, and 26 of them have at least minor problems on Windows 7 or newer. They all work fine on Vista, so we're stuck with Vista. We've even offered a bounty* for anyone that can get Lotus 2.3 to run. On Windows 10, when you run 123.EXE, it displays the message "This app can't run on your PC." Even right clicking on the file in Exploder, Properties, Compatibility tab, Compatibility Mode then Windows 95 doesn't help. That option doesn't seem to do anything on the ~50 different programs I've tried it on. Microsoft doesn't give a damn about backwards compatibility.
* We have six hundred thousand legal documents in Lotus that we can't convert to other formats because there's just too much paging and formatting problems. OpenOffice is damn good, but it isn't perfect. Obviously with that many files and with having to run Vista or older on all of our computers means we're willing to pay quite a stiff bounty to anyone that can help us solve this Microsoft-created problem without resorting to running a vm.
Microsoft doesn't give a damn about backwards compatibility.
No doubt that's why we can still use the same API calls sixteen years later...
Hot Potato Exploit
Name me one potato exploit that isn't hot.
systemd is Roko's Basilisk.
Backwards compatibility is what's keeping them in business, if you're going to break backwards compatibility you are better off just going straight to linux.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Well, it assumes an awful lot. But I think they are saying they can, for example, spoof a ton of responses to any machine that MIGHT be about to connect to you, and thus gain some privilege escalation from that conversation. Quite how they get higher than the privileges assigned to the user making those requests isn't clear, but it sounds like it could be possible.
But they even think SMB signing might defeat it, but haven't finished looking into that (which is suggestive that it does indeed defeat it, to be honest).
The fake WPAD responses? I don't know about you, by my WPAD data is given out by my DHCP server, not by anything else, and I believe that overrides most things. It's then double-set by a GPO and a DNS entry too. You'd have be in my network faking DHCP or able to override GPO settings and that's quite a way past what you need to be able to attack me anyway (P.S. my network switches will go ape-shit and cut you off if you do that).
They seem to be claiming that when something makes a request from the network for a WPAD query, they can fake every possible response until whatever was asking takes the FAKE response as genuine. That might well cause a machine to switch a proxy. But it would seem by that point to be already inside the network and able to do an awful lot worse damage anyway.
"Extended Protection for Authentication" is the mitigation for "the last stage of the attack" (where they are already spoofing WPAD settings and intercepting all web access from the machine in question, and just attack NTLM authentication via that for services that still try to use NTLM and WPAD entries). That was introduced in XP and Vista, by the way. I think by that point, you're fucked anyway.
I'm more interested in quite how something gets to do things like take up EVERY UDP socket on your system without otherwise cocking up and giving you tons of warnings elsewhere, and then manages to be in the line of fire for replying to a WPAD setting that's overridden by other browsers, by GPO, by DHCP settings, etc. and then use that to suddenly send all your requests to... yourself it looks like, and try to defeat NTLM auth.
It seems like one of these "LOOK HOW DANGEROUS" attacks that, although technically they aren't lying when they say they've got it to work on all these things, requires a combination of circumstances so extraordinary that you're already fucked before they start sending a packet.
The biggest problem I have? Minus some keywords that are pure filler in this article, there isn't a single mention of this that I can find anywhere else on a search engine. Literally, it's all regurgitated press releases with the same phrasing, ALL pointing to the same article. Yet it was supposedly released a while ago.
And the only thing we can apparently do about it at the moment is enable an option that breaks shit and only combats the very last stage, where it's already game over and they get to choose from a myriad of services that might trigger an NTLM-authenticated HTTP connection using a given WPAD proxy (which I imagine can't be that hard to find in major pieces of software or other areas of Windows).
Wait for a fix, or at least a decent analysis, but I wouldn't really go into a panic.
Had to go back 20 years to find an example so the point stands.
And yet the only actual counter-example that has been given by anybody so far is Lotus 1-2-3 version 2.3, which predates Windows 95 by four years.
I still run a 32-bit Windows 7 system as a games PC so I can run old games. I have been amazed to find games from Windows 95 era work, and been blown away when I found some old Windows 3.1 programs and tried them for a laugh only to find that they too worked.
Of course, these wouldn't work on a 64-bit version of Windows, since they lost the ability to run 16-bit applications. But I don't think that you can say that they are not serious about backwards compatibility simply because they no longer run programs from 2 decades ago.
You can still easily find lots of programs that no longer work, but who is to say that this is just sloppy work from Microsoft instead of the programs themselves doing something that was outside the official documentation, or just stupid things like self-modifying code or programs that assume they have administrator-level access to resources.
For more modern examples of backwards compatibility features in Windows, how about Vista's *File and Registry Virtualization*, which, for example, redirects file writes under Program Files to the users "AppData\Local\VirtualStore\Program Files" folder so old programs that blindly write config and log files alongside their programs will still work. Then there is the ever-growing WinSxS folder full of old versions of DLLs to maintain backwards compatibility. Windows 7 did away with some of the old cruft by making single DLLs that responded to multiple versions.
With all that going on in different versions, it makes me wonder about the truthfulness of the Anonymous Cowards who supposedly worked at Microsoft and who have been claiming that they had never heard backwards compatibility being mentioned there.
I'm going to stay away from ad hominem, because it's not useful, but you pretty clearly haven't done even a little bit of research into the problem. If you get that error running a DOS program, you're likely trying to run it on a 64-bit version of the OS. This is a well-known issue (if you even want to call it an issue, because it's advertised as such) and the compatibility modes are only for 32-bit Windows programs. If the rest of your 50 programs are also DOS, I'd expect as much.
If you need to run a DOS application, and a VM isn't an option, use a 32-bit version of Windows 10. For funsies I found a copy of Lotus 1-2-3 (2.2, as it happens, because that was what I had handy. I don't expect 2.3 to run differently) and tried it on my 32-bit Windows 10 laptop and it ran fine. Even ran in a window.
Drop me a line and I'll be happy to claim my bounty ;)
The main use I've found for it are for games that came out in that time between Direct3D and Windows 2000 that assume that Windows NT == No Direct3D and pop up a "This program doesn't support Windows NT" error. Setting them to Win95/98 compatibility mode make them work just fine. I can think of Viper Racing for one, and it helps Grand Prix Legends' graphics work better. On the other hand, Homeworld works better in NT 4.0 mode because it disables the slightly buggy-on-new-Windows DirectX and forces it into OpenGL mode, which works great.
In more recent times I've had it help with a couple utilities and tweaks like Mute on Lock that break with Windows 7's (and Vista's?) updated audio engine.
I can't think of too many things I've tried it on that haven't worked, really. Most of the complaints I've seen about it are people trying to run DOS or 16-bit Windows apps on 64-bit Windows, which isn't going to work no matter how many compatibility modes you try.
Windows safe mode gives you the same login options as a regular boot, just with minimal stuff loaded. On some versions (XP at least; I don't feel like rebooting my WIn7 box to check it) you'll also have the normally-hidden Administrator account visible. This can be a problem for computers on domains - if you boot in pure safe mode and have a domain admin, getting logged in can be problematic. This is where Safe Mode with Network Support comes in handy.
I can tell you I couldn't use 2008 "legacy" API calls in 2008R2, so I call bullshit.
The cesspool just got a check and balance.
Bill didn't care about backwards compatibility, or rather, he cared that things weren't backwards compatible at all. See Office95's release and complete lack of interoperation between previous versions across all platforms, including windows. Yep, backwards compatibility indeed.
The cesspool just got a check and balance.
Thanks for filling the previous poster in, but that rather highlights a real problem: Because this is where Windows really shines - messages that don't give you a hint about how to proceed, where to find more information, which program even posted the message or wants permission, or posting notices underneath windows, unseen.
https://support.microsoft.com/...
The cesspool just got a check and balance.