Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hot Potato Exploit Gives Attackers the Upper Hand On Multiple Windows Versions

Posted by timothy on from the here-you-take-it dept.

An anonymous reader writes: By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows. The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges. All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

2 of 127 comments (clear)

  1. Re:because in windows broken security is a feature by Anonymous Coward · · Score: 5, Informative

    They put a lot of effort into backwards compatibility in each version.

    That's an urban legend. When I worked there, I didn't hear of any effort at all made for backwards compatibility, except for a few tools we used internally. We just didn't give a damn about it, and that's why Windows is so horrific at it.

    For example, the company I work for now uses 29 pieces of official software, and 26 of them have at least minor problems on Windows 7 or newer. They all work fine on Vista, so we're stuck with Vista. We've even offered a bounty* for anyone that can get Lotus 2.3 to run. On Windows 10, when you run 123.EXE, it displays the message "This app can't run on your PC." Even right clicking on the file in Exploder, Properties, Compatibility tab, Compatibility Mode then Windows 95 doesn't help. That option doesn't seem to do anything on the ~50 different programs I've tried it on. Microsoft doesn't give a damn about backwards compatibility.

    * We have six hundred thousand legal documents in Lotus that we can't convert to other formats because there's just too much paging and formatting problems. OpenOffice is damn good, but it isn't perfect. Obviously with that many files and with having to run Vista or older on all of our computers means we're willing to pay quite a stiff bounty to anyone that can help us solve this Microsoft-created problem without resorting to running a vm.

  2. Re:RTFA by ledow · · Score: 5, Interesting

    Well, it assumes an awful lot. But I think they are saying they can, for example, spoof a ton of responses to any machine that MIGHT be about to connect to you, and thus gain some privilege escalation from that conversation. Quite how they get higher than the privileges assigned to the user making those requests isn't clear, but it sounds like it could be possible.

    But they even think SMB signing might defeat it, but haven't finished looking into that (which is suggestive that it does indeed defeat it, to be honest).

    The fake WPAD responses? I don't know about you, by my WPAD data is given out by my DHCP server, not by anything else, and I believe that overrides most things. It's then double-set by a GPO and a DNS entry too. You'd have be in my network faking DHCP or able to override GPO settings and that's quite a way past what you need to be able to attack me anyway (P.S. my network switches will go ape-shit and cut you off if you do that).

    They seem to be claiming that when something makes a request from the network for a WPAD query, they can fake every possible response until whatever was asking takes the FAKE response as genuine. That might well cause a machine to switch a proxy. But it would seem by that point to be already inside the network and able to do an awful lot worse damage anyway.

    "Extended Protection for Authentication" is the mitigation for "the last stage of the attack" (where they are already spoofing WPAD settings and intercepting all web access from the machine in question, and just attack NTLM authentication via that for services that still try to use NTLM and WPAD entries). That was introduced in XP and Vista, by the way. I think by that point, you're fucked anyway.

    I'm more interested in quite how something gets to do things like take up EVERY UDP socket on your system without otherwise cocking up and giving you tons of warnings elsewhere, and then manages to be in the line of fire for replying to a WPAD setting that's overridden by other browsers, by GPO, by DHCP settings, etc. and then use that to suddenly send all your requests to... yourself it looks like, and try to defeat NTLM auth.

    It seems like one of these "LOOK HOW DANGEROUS" attacks that, although technically they aren't lying when they say they've got it to work on all these things, requires a combination of circumstances so extraordinary that you're already fucked before they start sending a packet.

    The biggest problem I have? Minus some keywords that are pure filler in this article, there isn't a single mention of this that I can find anywhere else on a search engine. Literally, it's all regurgitated press releases with the same phrasing, ALL pointing to the same article. Yet it was supposedly released a while ago.

    And the only thing we can apparently do about it at the moment is enable an option that breaks shit and only combats the very last stage, where it's already game over and they get to choose from a myriad of services that might trigger an NTLM-authenticated HTTP connection using a given WPAD proxy (which I imagine can't be that hard to find in major pieces of software or other areas of Windows).

    Wait for a fix, or at least a decent analysis, but I wouldn't really go into a panic.