Re: White paper: Exploiting the Win32 API.

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/08/02

Date:         Thu, 8 Aug 2002 12:51:05 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Boy what a flurry.

Most people posting are saying;

a) This is a non-issue, its entirely due to poor programming practice. Bad Vendors write services marked as SERVICE_INTERACTIVE_PROCESS, install as LocalSystem and autostart, then add a GUI or any other sort of message receiver. The bind to WinSta0 and, as a result, open themselves to attack. Bad Bad Vendors.

b) But, since we've known about this issue for so long, nobody ever does this (note exception in point #1 above).

c) Oh, and since you need to get code onto the system in order to do this, *this* stuff is irrelevant, if I can get code on your system you're already owned.

Since decided to post saying that this FUD was, in part, my fault for allowing it through, my observations follow;

1. There are far too many Bad Bad Vendors.

2. How you going to check to see if a Vendor is Bad or not? Look to see if his service installed as LocalSystem?? That's no answer. Look to see if he has a Window as part of his interface? That's no answer. Ask them?? Yeah, right! Paget has, at least, provided a tool and explanation sufficient to start checking. Certainly not a solution, but I have a stinking suspicion most of you weren't checking before this paper...despite it being so old and, for some, so well known.

3. Am I the only one who noticed Paget's reference to DDE Server??? Did I miss that reference in the past research others have pointed to?

4. To the bit about owning a machine because you got code on it...come on. You can't own a machine until you get code on it, whether that's via a flawed ISAPI filter, malicious email, web page, or virus. When exploitation of AEDebug was discovered it wasn't deemed a non-issue. If every virus ran in the context of LocalSystem, viruses would cause far more damage than they do today. Its also worth considering auditing in all of this.

5. More than a few people have said he hasn't proven his contentions wrt the OS being vulnerable (e.g. DDE Server or something else that ships as a default component of an OS). I, for one, am glad that he has, so far, chosen not to provide a sample exploit prior to MS' analysis. Be skeptical all you want, but some of the messages I've read could be poster children for the reasons some discoveries come out as 0day exploits attacking you en-masse.

IMO the dismissive attitude towards Paget's work comes from his contention its an "entirely new class of attacks". Fine, argue that if you want, make him humble himself before all those who previously discussed these issues, but thank him for a tool and recent analysis that brings it to our attention again.

At the very least his paper held the tool, a security vulnerability in Viruscan, and an indication that DDE Server may be vulnerable.

Russ - NTBugtraq Editor