Unfixable Windows flaw

***allenb1963*** · September 7th, 2002, 09:15 AM

Up front, I apologise if I am repeating a previous thread, but I found the article below to be quite disturbing and wanted to make sure all here were aware. No big surprise, M$ says this doesn't fit their criteria for a security vulnerability. Hmmm...this guy took over the local machine but thats not a vulnerability? Go figure....

Original article here.

"Unfixable" flaw breaks Microsoft's Windows
By David Cohen

An "unfixable" flaw that leaves your desktop PC open to serious abuse has been exploited in Microsoft's Windows operating system. The trick could be used by an attacker to discover your passwords, copy your files or even format your hard disk.

Chris Paget, a freelance computer security consultant based in London, revealed the exploit in a paper published on the net on Tuesday. He claims it is the first time this flaw in Windows has been exploited. Paget says he began the research after a Microsoft vice president Jim Allchin told a court in May that errors had been identified in Windows but should not be revealed for security reasons.

When a user logs on to a Windows machine, he or she is granted a certain level of privileges that governs which files you are allowed to access and what sort of operations you can perform on those files.

Paget, who goes by the hacker handle 'Foon', logged on to a system as a guest user - normally granted minimal privileges - and by exploiting the flaw managed to increase his privilege level to 'local system', the highest level possible. This gave him complete access to everything on the machine and potentially to other machines on the local network.

Security boundary

He could then perform any operation on the local machine he liked, including formatting the hard disk, creating new users and hiding "keyboard sniffer" programs to capture passwords of people subsequently using the machine. Blocking the exploit would mean rewriting the Windows core program and all the applications using it.

In a statement issued to New Scientist, Microsoft said: "Based on an exhaustive review of both the theoretical and practical impact of the proposed scenario, we believe that it does not meet Microsoft's definition of a security vulnerability."

The company argues that "the desktop is the security boundary for windows messages", so if an attacker has access to the desktop then a security breach has already occurred.

However, hackers have frequently accessed desktops in the past by exploiting other security holes, and Paget's exploit means they could cause more damage when they do. Employees of large companies might also be able to access prohibited parts of their networks.

Message flow

The flaw exposed by Paget is part of the fundamental design of the Windows operating system. It is contained within the mechanism that controls the flow of messages between different windows on the desktop. This is called the Win32 API and has remained unchanged since 1993.

Critically, the Win32 API system does not authenticate the messages, so cannot distinguish messages from malicious or legitimate sources. This allowed Paget to select a window with the highest privileges and surreptitiously embed a malicious piece of code. When executed, the code would increase his user privileges to the maximum given to that window.

But how could he run that code? Paget also found that by sending a special message, called WM_TIMER, he could cause the window to run the piece of code he had previously embedded in the window's memory.

"This is the really stupid thing that Microsoft lets you do," he says. "The fact that you can cause a window to execute a random piece of code is the key to taking control of the machine."

Microsoft says that the programmers of third party software should limit the windows in their programs to having only user privileges. However, Windows 2000 itself uses windows that have top-level privilege.

***problemchild*** · September 7th, 2002, 09:32 AM

Yeah.... I posted something about this a month or so ago when it made headlines on Slashdot, but it's always good to remind everybody. Pretty scary stuff. And, of course, the typical Microsoft spin saying that it's the application vendors' fault. Never mind the fact that the messaging system has NO AUTHENTICATION method whatsoever to check where the instruction is coming from. Oh yeah.... that's not a bug at all......

I've said a hundred times that Windows will never be secure until it's rewritten from the ground up by people who understand security, instead of piling patchwork upon patchwork. New API, anyone?

***roswell1329*** · September 7th, 2002, 04:56 PM

While I agree this is disturbing, keep in mind that how Microsoft responded was technically accurate. Using any kind of security model, if someone gains access to the console itself, security has already been compromised. This is the same policy that should be, and has been, applied to any flavor of UNIX. Theoretically, if I can get to the UNIX console I can reboot in single user mode and change the root password. I'll concede that if a server goes down it's likely to raise all kinds of red flags in any typical data center, but since you don't even have to take advantage of any kind of exploit to gain root access using this method it should still be considered an extremely sensitive vulnerability. I guess it would be very interesting to see if one could take advantage of that exploit remotely, although I'm having difficulty right now seeing how.

***problemchild*** · September 7th, 2002, 05:17 PM

if someone gains access to the console itself, security has already been compromised. This is the same policy that should be, and has been, applied to any flavor of UNIX. Theoretically, if I can get to the UNIX console I can reboot in single user mode and change the root password.

Just because someone can get to the console it's normal for them to be able to gain Administrator access? I beg to differ. What's the point of having different users and ACLs at the console if that's true?

As for Linux, I disagree. You set your BIOS boot sequence to exclude floppy and CD-ROM so that it only boots from the hard drive and put a setup password on the BIOS so nobody can change it. Then you set your lilo delay to zero and password protect single-user mode. Thay way, nobody can boot some other meduim or OS and reset your passwords. The only way around it would be to take the cover off and reset the CMOS jumper, which if you have even a modicum of physical security should be pretty consipcuous.

**yanksfan** · September 7th, 2002, 07:47 PM

When a user logs on to a Windows machine, he or she is granted a certain level of privileges that governs which files you are allowed to access and what sort of operations you can perform on those files.

They must be talking about windows 2000/NT machines, right? I don't think there's any "privileges" on Win 95/98/ME....if they're only talking about 2000/NT, then does that mean the other versions don't have that security hole, or is it just worse since there's no priviliges??

-Mike

***problemchild*** · September 7th, 2002, 08:02 PM

does that mean the other versions don't have that security hole, or is it just worse since there's no priviliges??

There is no Administrator access in Win9x because every user is always the Administrator. Kind of like cracking a safe with no lock.

***cwk9*** · September 7th, 2002, 10:04 PM

So how easy is it to exploit this bug? Is there going to be hordes of script kidz running around hacking any computer they can get local access to, or does this take a little skill to get working.

***problemchild*** · September 7th, 2002, 10:25 PM

I can see this being a huge problem at college computer labs. You'll have college kids putting stashes of warez and MP3s on lab computers for all their friends to download. College campuses will become vast repositories of warez servers, and there really isn't a whole lot you can do about it once the skiddies figure this out.

As I understand it, all you really need is an open window of an application running with local system privileges. In the original paper, Padgett used a virus scanner window, which I would imagine can be found on most any public computer if the admin is worth his/her salt, and gave pretty much a step-by-step instruction guide for making it work. So yes, I can see it being a HUGE problem.

The original paper is here.

**Black-Mage21** · September 7th, 2002, 10:43 PM

Well I have not been here long and am glad that you posted this thread even if it has been said before.

Yeah.... I posted something about this a month or so ago when it made headlines on Slashdot, but it's always good to remind everybody.
-problemchild

Not everyone has seen this and like problemchild said i it a good reminder. Thanks

Black-Mage21

***Palemoon*** · September 8th, 2002, 06:46 AM

Ok first off I don't know a system around that now allows a Guest to login, sorry but on most networks access is given by admin and any system that allows anyone to plugin and login as a guest will have the flaw. Simple fact to me is this is an exploit on a server with a default install and no admin looking. Geez get real I can put any OS on a box at default find all sorts of holes why cause I was Net Admin. The waters are full of people attempting to make a name and the media looking for the breaking news even out here. Home computer humm what if I do not log into it??? Then what and it has no Guest access??? hummmm

Thread: Unfixable Windows flaw

Thread Tools

Display

Unfixable Windows flaw

Posting Permissions