Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google, Microsoft Work Together For a Year To Figure Out New Type of Windows Flaw (arstechnica.com)

Posted by BeauHD on from the two-is-better-than-one dept.

Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses.

Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

53 comments

  1. TL:DBR by Anonymous Coward · · Score: 0

    So Kernel mode privileges need to be limited to the Kernal and not userland. Gee. Security mind blown!

  2. Is anybody surprised? by Rosco+P.+Coltrane · · Score: 4, Insightful

    Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split

    Telemetry needs it, I suspect is 90% of the various reasons.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      Pfft, lol. It's like this because Windows permissions security throughout are a cobbled-together afterthought told by a joke. It has jack to do with telemetry.

    2. Re: Is anybody surprised? by Anonymous Coward · · Score: 0

      I read half of it just now. The other half was all the big words. Like kernel. Too big of a word. Or did I need to even bother since nobody has done this?

    3. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      Nope. I think nearly all of the "various reasons" boils down to: Microsoft can't code worth shit, and all they do is take shortcuts to "get it to work" without giving a flying fuck about security. It's been that way since their earliest days, and I don't expect it to change anytime soon.

    4. Re: Is anybody surprised? by Cmdln+Daco · · Score: 1

      Microsoft has always had security inside out. They began as a company intending to break the grip of the white-coated Computer Operators of old. Computers for everyone, no central control. Power for whomever has the hardware on their desk. This was liberating and made the surly old guard of Computer Operators upset.

      Microsoft extended their influence with their open design philosophy that any software written for their system should continue to work on later versions of their system. This sort of open design necessarily has to be permissive and let any old executable run.

      It has become a problem in the era of always connected systems. But it's really distorted historical revisionism to act like openness is a purely Microsoft 'problem.' The early UNIX hacker's culture also embraced this openness. Stallman and the early GNU hackers refused to put passwords on their accounts at MIT. Unix security in the early days was a running joke to anybody who knew.

      Still, smugness is rewarding as long as the delusion can be maintained and history ignored. Carry on.

    5. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      Meanwhile, Linux is racing ahead on vulnerabilities..

      https://www.cvedetails.com/top...

      Many eyes.. lols.

    6. Re:Is anybody surprised? by Krishnoid · · Score: 1

      Google, Microsoft Work Together

      I'm surprised enough that I almost spit tea all over my monitor.

    7. Re:Is anybody surprised? by drinkypoo · · Score: 1

      It could have just been in search of performance, like when they merged the Kernel and graphics memory spaces in NT4 (which had been separate in NT3.51) in pursuit of graphics performance.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Is anybody surprised? by gweihir · · Score: 1

      MS makes utterly stupid decision, different from what anybody competent has done before for this task, insecurity ensues. Nobody with a clue is surprised.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Is anybody surprised? by CODiNE · · Score: 1

      Maybe. This is a common type of bug that was prevalent in UNIX and Linux distributions a decade or so ago. Many bugs were found along a similar permissions boundary such as setuid and sudo. There have also been many privilege escalations connected to drivers and their interactions with user space calls with their APIs.

      As long as we continue to allow security researchers to do their work without legal trouble we can slowly root these out or at least make the findings so expensive it will be hard for criminals to get real value for them. It also raises the cost for nation-states and helps avoid overreach.

      --
      Cwm, fjord-bank glyphs vext quiz
    10. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      The Windows 10 Spy/Virus has too many flaws already...M$ doesn't need Google to help create more flaws!

    11. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      GFY to the deepest levels of hell. propaganda bs- even it it were true, it's manufactured. keep arguing for humanities future enslavement, sycophantic prick.

    12. Re:Is anybody surprised? by ayesnymous · · Score: 1

      Cobbled together is exactly right. So many directories in Windows have permissions directly applied to them - sometimes they are exactly the same as the parent, so why not just inherit the permissions from the parent? And when the permissions are different, there doesn't seem to be any reason to be different from the parent.

    13. Re: Is anybody surprised? by Anonymous Coward · · Score: 0

      Nope. Stallman did not refuse to put paswords on their accounts.

      And another false one was that unix security was a running joke.

      Unix did have a lot of break ins - but mostly of people using the same password as on other systems that DID have a joke for security. One such was TOPS-10, the password was stored in accounting files in sixbit planetext.... I showed my instructor how to get his password from an accounting file - and that fact told him that the hacks of the NSTL were coming from the PDP-10 running TOPS-10 that was also used there.

      Unix had better security than most of the commercial operating systems - excluding only MULTICS.

    14. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      Why is this insightful? It's just some idiot talking out his ass, demonstrating his complete lack of understanding of what telemetry is.

    15. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      aww.. did I trigger you?

      meanwhile, countless Linux powered websites are getting rooted and defaced.. daily..

    16. Re:Is anybody surprised? by Anonymous Coward · · Score: 0

      "aww.. did I trigger you?"

      yea... and you seam to be still trying... but point for you- I was a bit drunk and being hyperbolic/ridiculous... what are these websites you speak of, being defaced daily? just bait?

    17. Re: Is anybody surprised? by Cmdln+Daco · · Score: 1

      Stallman and his friends refused to put passwords on their accounts.

  3. So basically... by 110010001000 · · Score: 0

    ....the code is a mess.

    1. Re: So basically... by Anonymous Coward · · Score: 0

      what happened to you? so much hate and racism.

    2. Re: So basically... by Cmdln+Daco · · Score: 1

      Does anybody even bother to read this crapflooding? It's just noise, to route around like dog feces on the sidewalk.

  4. "various reasons" by Kunedog · · Score: 2

    Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode.

    IIRC, Microsoft broke UAC long ago by allowing its own software to "auto-elevate" without asking. Are those the kind of reasons we're talking about?

    1. Re:"various reasons" by Anonymous Coward · · Score: 0

      "The kind of" = yes, sorta, vaguely. In reality that has nothing to do with it.

    2. Re:"various reasons" by Anonymous Coward · · Score: 0

      UAC isn't a security barrier. It's a way to allow WinXP (and earlier) apps to be usable in an environment where users don't run everything as an administrator.

      If your app requires administrative access, the user has to allow it. If your app doesn't have a legitimate need to be admin, hopefully your users will prod you to fix it so they don't have to keep seeing the elevation prompt. And you can't just write a program that clicks the "OK" button to avoid having to actually fix your program.

      dom

    3. Re:"various reasons" by DarkOx · · Score: 1

      They also broke it by not switching to the secure desktop to take inputs. Granted for malware to take advantage and be able to actually send events to the UAC window; it pretty much has to have elevated already but still... The Vista solution was more secure if more annoying. Microsoft gets into trouble because they make some many exceptions to their own rules.

      As you point out with the auto-elevate of their own stuff (also all their own stuff is allowed by default applocker configs) they move the security boundary out from the kernel to basically include any user space executable with a MS signature on it. That is a A LOT of attack surface. Sure it makes the system way more usable but its sloppy approach and we have seen its had significant negative security implications now in the real world.

      Had they stuck to their guns on the design and made a very limited white list of specific executable verified by secure hash or maybe re-signed with a special cert for only core components or something and rigorously audited any items that got that special accommodation for any potential user controllable command execution things would probably be fine.

      Instead we have a situation where attackers can use msbuild to run about any code they want; oh and it turns out you can use certutil much like the old debug.exe to make an executable if your clever...

      I don't know maybe it was all a conspiracy to keep the A/V vendors in business.

       

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  5. Hermione enjoyed centaur gangbangs by Anonymous Coward · · Score: 0

    - J K R

    1. Re: Hermione enjoyed centaur gangbangs by Anonymous Coward · · Score: 0

      To be fair who doesn't?

    2. Re: Hermione enjoyed centaur gangbangs by Anonymous Coward · · Score: 0

      The centaurs who had to bang Hermione?

  6. Speaking of kernels by Anonymous Coward · · Score: 0

    *gets popcorn*

  7. kernel defined by goombah99 · · Score: 3, Funny

    kernel /krnl/
    noun: kernel;
    plural noun: kernels

            A softer, usually edible part of a nut, seed, or fruit stone contained within its hard shell.

    In computer science this refers to the inner composition of edibles found in vending machines, such as the filling in a twinkie. For example, in an M&M peanut candy the peanut is the Kernel, and the candy coating it the usermode.
    Kernel's are not always nuts, in computer science, For example, In raisenets the raisin is the kernel and imiatation choclate coating is the userland.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. Permission bits explained by goombah99 · · Score: 2

    An example of permission bits in computer science vending machine food is the tootsie roll. The operating system specifies that the user may not access the tootsie roll center in less than ten licks but there's nothing that stops a rogue driver from biting it after three licks.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re: Permission bits explained by Cmdln+Daco · · Score: 1

      Tootsie rolls are all soft core. You meant to describe a Tootsie Pop, with a hard sugar-candy sucker shell over a Tootsie Roll center.

    2. Re: Permission bits explained by goombah99 · · Score: 2

      My bad. Right you are. Especially the rootbeer flavored candy shells. Mmmmmm

      --
      Some drink at the fountain of knowledge. Others just gargle.
  9. Re: Nice job by all involved by Anonymous Coward · · Score: 0

    Gates would have found it a long time ago, fixed it himself, and gone to every customer personally to apologize and comp the license of their choice. Just sayin

  10. "Leaky abstraction" by Anonymous Coward · · Score: 0

    This is called a leaky abstraction. Clearly the design is to separate the privileges of usermode from the privileges of the kernel, but for "various reasons" this abstraction isn't maintained. Things that shouldn't be in the kernel are there for performance reasons. Things that should be in the kernel are probably delegated to usermode for flexibility. Thus the workarounds begin and as usual functionality > security. Holes are punched into the separation of privileges.

    1. Re:"Leaky abstraction" by Anonymous Coward · · Score: 0

      leaky abstraction is what the vulnerability is called, the exploit has long been
      referred to as a confused deputy exploit. Where you hook into a program with
      service permissions you don't have to elevate your privilege level through it.

    2. Re: "Leaky abstraction" by spongman · · Score: 1

      âoeVarious reasonsâ are bugs in the drivers. Itâ(TM)s quite clear in the article.

  11. Telemetry needs it, I suspect is 90% by Anonymous Coward · · Score: 0

    I suspect that the impending EOL of standard win7 is a larger part of that 90%. There was very little 'meat' in the OP. More like a loud worldwide suggestion/enticement/challenge to malware creators. The end result is to force people to 'upgrade'. The newest windows are not vulnerable...wink.

  12. Linux Too by Anonymous Coward · · Score: 0

    Reminds me of this: accessing user-space data from the kernel is tricky. It's good to see they're working harder to resolve this issue, regardless of the OS.

  13. Why securityâ(TM)s a mess in 1 sentence... by Anonymous Coward · · Score: 0

    âoeThe kernelâ should be âoea kernelâ and should, with a few limited exceptions, only have access via hardware/software/mathematically-enforced controls to anything. Itâ(TM)s ridiculous that for mainstream OSâ(TM)s you still basically have to trust your software AND the OS and hardware. Weâ(TM)ve known for a few decades how to fix this.

  14. Cough... setuid root.... cough by goombah99 · · Score: 1

    Maybe linux has a few ACL shortcuts too?
    Apple made the same mistake with their dynamic log files which had the root execution privs even when run as user.

    .

    --
    Some drink at the fountain of knowledge. Others just gargle.
  15. pot, kettle, insanity. by Anonymous Coward · · Score: 0

    Fox and weasel coop management, discover new method of protecting chickens from hawks- news at 11.

  16. Why would these two... by Anonymous Coward · · Score: 0

    ...spend all that time figuring out how to make a flaw?

    1. Re:Why would these two... by Anonymous Coward · · Score: 0

      ...spend all that time figuring out how to make a flaw?

      To beat the bad guys to it.

    2. Re: Why would these two... by Anonymous Coward · · Score: 0

      But they ARE the bad guys!

  17. Security flaw by design... by Obfuscant · · Score: 1

    However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file.

    That's moronic. Even the kernel should respect file permissions. It should always be able to CHANGE the permissions (because the permissions are not part of the file but of the file system), but if a file is not 'x' the kernel should not treat it as executable, and if it is not 'r' it should not be readable.