[26863] in bugtraq
Re: White paper: Exploiting the Win32 API.
daemon@ATHENA.MIT.EDU (Chris Paget)
Thu Aug 29 12:32:28 2002
From: Chris Paget <ivegotta@tombom.co.uk>
To: "Drew" <dcopley@eeye.com>
Date: Thu, 29 Aug 2002 11:39:09 +0100
Message-ID: <i7trmusqt91rhnfm6b6n038nv64lktcktu@4ax.com>
In-Reply-To: <PBEIJHCBOBAALDOHPLEBCEPICDAA.dcopley@eeye.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
On Wed, 28 Aug 2002 10:25:08 -0700, you wrote:
>Anytime a developer has an application running as system which
>is a rare need, they must realize the security ramifications of
>what they are doing. (That, if a flaw is found in their software,
>they will elevate the privileges of the user).
Agreed. It's way past time for the paradigm shift in the Win32 world
that took place a long time ago in the *nix world, that being that
applications should *always* run with the lowest privileges they
require. In this respect, Microsoft should be leading the pack
instead of trailing it - the only MS services I've ever seen that
don't install themselves as LocalSystem are the various Windows Media
services.
Maybe it's time Microsoft implemented setuid() on Win32? Even the
Cygwin group have had trouble with it - according to
http://www.cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID
"Because of the nature of NT security an application which needs the
ability has to be patched"
Since it also requires three privileges that not even Administrators
have by default, their solution seems a tad clumsy.
>While you can exploit other applications
>not running in a higher privilege space in this manner, this
>gains you nothing which you can not do with just running an
>binary as that user.
I'd disagree with this. If you have a UI that is partly disabled
waiting for some form of user validation (scroll to the bottom of the
license agreement before you click OK, or type in a valid username and
password before you can click that administration button) you can do a
lot. Also, personal firewalls are going to have a hard time of it - I
can circumvent all personal firewalls I've tested by injecting my code
into a "trusted" application (IE in my case). The firewall never bats
an eyelid, since IE is allowed to access the network. Some clever
shellcode can then do whatever you'd like.
Chris
--
Chris Paget
ivegotta@tombom.co.uk
