[Full-disclosure] Windows Access Control Demystified.

From: sudhakar+fulldisclosure@xxxxxxxxxxxxxxxx
Date: Tue, 31 Jan 2006 16:33:46 -0500 (EST)


Hello everybody,

We have constructed a logical model of Windows XP access control, in a
declarative but executable (Datalog) format.  We have built a scanner
that reads access-control configuration information from the Windows
registry, file system, and service control manager database, and feeds
raw configuration data to the model.  Therefore we can reason about
such things as the existence of privilege-escalation attacks, and
indeed we have found several user-to-administrator vulnerabilities
caused by misconfigurations of the access-control lists of commercial
software from several major vendors.  We propose tools such as ours as
a vehicle for software developers and system administrators to model
and debug the complex interactions of access control on installations
under Windows.


The full version of the paper can be found at:

http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf

All the vendors and CERT are aware of this paper. The bugs are *not* remotely exploitable. The CERT id is VU#953860.


regards,
Sudhakar Govindavajhala and Andrew Appel.

Bio:

Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton University. His interests are computer security, operating systems and networks. Sudhakar is looking for employment opportunities.

Andrew Appel is a Professor of Computer Science at Princeton University. He is currently on sabbatcal at INRIA Rocquencourt. His interests are computer security, compilers, programming languages, type theory, and functional programming.


Sudhakar Govindavajhala	                  Department of Computer Science
Graduate Student,                         Princeton University
Ph : +1 609 258 1763
                http://www.cs.princeton.edu/~sudhakar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 960-2] New libmail-audit-perl packages fix insecure temporary file use
Next by Date: Re: [Full-disclosure] I stole code
Previous by thread: [Full-disclosure] [SECURITY] [DSA 960-2] New libmail-audit-perl packages fix insecure temporary file use
Index(es):
- Date
- Thread

Relevant Pages

Re: Latetes Slew of patches.
... I've and others I visit often who use Linux, ... Why haven't you mentioned these things about windows? ... There may be an alert out for 'pppd', but it will tell which distro it's for. ... Where did I say anything about your post other than the computer science part? ...
(microsoft.public.windowsxp.general)
Re: Robots and astronomy
... But before this robot says: ... My Windows Operating System written for my thesis was written to have ... Arrogance is Microsoft Windows. ... old computer science but on business and business cannot wait. ...
(sci.astro)
Re: Restricting folder access on network
... throught windows media player throught the shared music files on computer 1 ... "the all user account" and it goes right in without a password. ... >>on the folder and click on the security tab, simple file sharing is disabled ... no version of Windows has access control based on computer ...
(microsoft.public.windowsxp.network_web)
Re: Confidential Attribute -
... I want delegate the access control to global group ... specified user or group. ... My Enviroment is Windows 2003 R2. ... confidential and delegate access to the specified users or group. ...
(microsoft.public.windows.server.active_directory)
Re: Single Sign On
... eTrust suite contains access control software, ... UCAMS has various clients including Windows ... MS-SQL servers can be setup ... to utilize Windows authentication. ...
(Security-Basics)