Re: Win32 vulnerability? Or application vulnerability?

From: Chris Paget (ivegotta@TOMBOM.CO.UK)
Date: 08/08/02 

Date:         Thu, 8 Aug 2002 15:28:19 +0100
From: Chris Paget <ivegotta@TOMBOM.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

>Someone else pointed out that the right way to design an application
>that needs both a UI and admin-level rights is to split it into two
>parts: The trusted part and the non-trusted part. The non-trusted
>part takes care of the GUI and uses an API like sockets or pipes to
>talk to the service that's got admin rights.

Let me point out some other attacks you can use these techniques for,
so that you understand fully what I'm saying here.

The scenario: A user has a Windows 2000 box running a personal
firewall. The firewall only "trusts" Internet Explorer to access the
Internet.

Somehow or other, some malicious code gets onto the system. It fires
up an IE window, and makes it invisible. It injects a DDoS client (or
whatever) into IE, using exactly the same technique described in my
paper. That malicious code within IE then accesses the network
freely, since the personal firewall can't tell the difference. It
could even send out its traffic as legitimate HTTP requests, so that
it is more or less untraceable.

Alternatively, the malicious code could inject itself into the admin
tool for the personal firewall. Since the firewall is "well designed"
and doesn't run as localsystem, the malicious code can't elevate its
privileges. It can, however, add itself to the list of "trusted"
applications and then do what it likes.

Would you regard that as a vulnerability? I certainly would.

How about applications that restrict their UI based on what privileges
a user has? The app loads, checks privs, and disables certain
buttons. You send those buttons a message to enable them, and voila -
you can access those functions.

Yes, I agree that localsystem windows running on the desktop are not
necessarily a good idea. My two arguments though, are that 1) The OS
should be able to cope with something like that, and 2) MICROSOFT DO
THE SAME THING. There are numerous windows on a standard desktop that
are localsystem, and hidden - the DDE server for example. Just
because you can't see a window doesn't mean you can't break into it.

I'm actually in the process of writing an exploit for one such window
- no detail though until MS have had a chance to respond. Suffice it
to say, I can now shatter my way to LocalSystem privileges using a
guest account on a default install of Win2K, all service packs, all
hotfixes. Rest assured, details will be forthcoming, but I shouldn't
and won't say anything more yet.

Chris 

-- 
Chris Paget
ivegotta@tombom.co.uk

Quantcast