Re: Win32 vulnerability? Or application vulnerability?

From: Mike Murray (mmurray@DORIAN.2Y.NET)
Date: 08/08/02 

Date:         Thu, 8 Aug 2002 10:45:47 -0700
From: Mike Murray <mmurray@DORIAN.2Y.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 08 August 2002 09:14 am, Deus, Attonbitus wrote:
> Not withstanding the implications of exploiting privileged services, one
> really has to question the validity of any exploit that first requires
> malicious code to get onto the system.

I have to respectfully disagree on this point.

The fact is, we've seen a significant number of extremely useful and valid
tools that run only locally. The LPC Ports vulnerability that was released a
couple of years ago (and the corresponding exploit) was useful in any
situation where an exploit gave local unprivileged access.

Put simply, this is a local root exploit. We don't ignore these types of
exploit for a *nix box; we shouldn't ignore them for a Windows box.

The reason that "If you can get your code on the box, nothing else matters" is
such a tautology is because of situations like this. There are a significant
number of privilege escalation conditions that exist.

That doesn't mean that we can/should disregard these conditions because
they're numerous.

As I see it, the most interesting possibility, with some of the hidden windows
that services start as is the possibility of writing a piece of code which
will run *without* requiring the GUI interaction that the current incarnation
of shatter requires.

Just a thought.

M
- --
____________________________________________________
| Michael Murray, CISSP <mmurray@dorian.2y.net>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE9Uq5Tzh1RVm1QrUwRApPBAKCt2OUe/0B/fpnqdRjJWcHdocFPmwCfUgmN
RhIPiewNCoyQVCG0JNDq/aU=
=SSgy
-----END PGP SIGNATURE-----