Re: MS02-071, shatter?

• Previous message: Marc Maiffret: "Macromedia Shockwave Flash Malformed Header Overflow #2"
• Maybe in reply to: Greg Riedesel: "MS02-071, shatter?"
• Next in thread: Sergey V. Gordeychik: "Re: MS02-071, shatter?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 16 Dec 2002 18:15:34 +1100
From: "Holmes, Ben" <Ben.Holmes@GETRONICS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

(Resending unsigned because it seems that digitally signed messages
using X.509 are rejected here... looks like PGP is the only answer on
this list)

I think you miss your guess a little IMHO...

From the MS02-071 page at
"http://www.microsoft.com/technet/treeview/?url=/technet/security/bullet
in/MS02-071.asp" (URL may wrap)...

"However, upon deeper investigation, we determined that the real answer
is somewhat more complicated. It's possible for a highly privilege
process to coexist safely with less privileged processes on the
interactive desktop, provided that it's been properly designed to vet
all requests before acting on them. However, the flaw in WM_TIMER would
undermine these safeguards even if they were present. As a result,
although we still recommend that developers use extreme care before
writing a process that has high privileges and runs in the interactive
desktop, we believe that in this case the real culprit is the flaw in
WM_TIMER."

You will notice the bit that states "provided that it's been properly
designed to vet all requests before acting on them".

As I read this I get the following points...

1. Microsoft has not stated that they have heard of any of their own
processes that run with high privs on the local desktop that have not
been properly designed...

2. WM_TIMER made it impossible, but with that gone, it is apparently
possible to make a secure LocalSystem window, and MICROSOFT apparently
does that...

With that in mind...

I really don't think that this is the death of shatter type attacks...
It is still possible that the funny little window that pops up from that
program you downloaded yesterday from "JunkCode Software Inc" that runs
as a system service and with system privs is just as vulnerable, just
not from WM_TIMER. There are other ways of making a program execute
code without WM_TIMER if it allows arbitrary messages with no filtering
and the right conditions exist. One way may be if a program uses a
control that limits an input to 10 characters, it may then copy that
variable into a 10 character buffer, that would be problematic if the
control was set to a higher input limit via a windows message...

If anyone knows of a Microsoft program that runs as LocalSystem and is
accessible from a normal unprivileged user and has other flaws like
this, I would like to know that!

-- Benjamin Holmes
GETRONICS, AUSTRALIA.

> -----Original Message-----
> From: Greg Riedesel [mailto:greg.riedesel@CI.STPAUL.MN.US]
> Sent: Friday, December 13, 2002 12:35 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: MS02-071, shatter?
>
>
> If I don't miss my guess, it looks like MS02-071 fixes the
> vulnerability
> that "shatter" uses to gain priv escalation. I do recall a
> lot of back
> and forth about whether or not this was easilly fixable in Windows, as
> the problem area (WM_TIMER) is used by pretty much every Windows
> application. Programs like VirusScan from McAfee do put a
> window on the
> desktop that has system privs, and shatter was used to escalate the
> logged in user to a higher level of priv.
>
> Once that level of access is achived, it is a lot easier to
> capture key
> domain credentials. Though such attacks are still somewhat
> technically
> complex.
>
> I do remember that the consensus was that fixing this problem would
> require a fundamental re-engineering on how Windows works, and that a
> true fix would be a long time coming as a result. So now we have this
> patch from Microsoft. Have they actually fixed the problem? So
> quickly?
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> oooooooooooooo
> Delivery co-sponsored by TruSecure Corporation
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> oooooooooooooo
> Demonstrate your knowledge and understanding of core IT
> Security, become
> TICSA certified.
>
> Are you responsible for IT security in job function, but not
> necessarily
> in title? Do you want to prove your IT security knowledge and increase
> opportunities? Interested? Visit;
>
> http://www.trusecure.com/solutions/certifications/ticsa/
>
> for more information.
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> oooooooooooooo
>

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.

Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;

http://www.trusecure.com/solutions/certifications/ticsa/

for more information.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Next message: Sergey V. Gordeychik: "Re: MS02-071, shatter?"
• Previous message: Marc Maiffret: "Macromedia Shockwave Flash Malformed Header Overflow #2"
• Maybe in reply to: Greg Riedesel: "MS02-071, shatter?"
• Next in thread: Sergey V. Gordeychik: "Re: MS02-071, shatter?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]