RE: Windows Vista Power Management & Local Security Policy

So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?

--
Abe Getchell
me@xxxxxxxxxxxxxxx
https://abegetchell.com/

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Saturday, July 19, 2008 6:20 PM
To: me@xxxxxxxxxxxxxxx; Jim Harrison; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Windows Vista Power Management & Local Security Policy

If Jim is going to get Nancy to run a program, and that's "not all that
hard," then why not just have that program do what you want in the
first
place rather than worrying about the power switch nonsense? This is
the
one million and fourth time: "If your 'vulnerability' begins with 'if
I
can get the user to run code' then whatever comes after the 'then'
doesn't matter. Period."

t



-----Original Message-----
From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
Sent: Saturday, July 19, 2008 12:33 AM
To: 'Jim Harrison'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Windows Vista Power Management & Local Security Policy

As stated in my original e-mail to the list, I definitely don't think
that
this is a security vulnerability in a traditional sense. I completely
agree
with you. Think about it this way... When you press the power button
on
the
machine and it performs a graceful shutdown, stuff happens inside of
the
operating system. That stuff happens at an elevated privilege level.
If
there were some way to hook into the stuff that happens, you (as an
unauthenticated user), could do bad things (besides simply shutting
down the
system) using that hook simply by pressing the power button at the
logon
screen. For example, if Jim wants to know what Nancy is working on,
he
could
write a program which e-mails him the contents of her "My Documents"
folder
that is triggered by a hook into that process. All Jim needs to do is
get
Nancy to run that program on her system (not hard) and walk by her
office
when she's not there and hit the power button (also not hard). So
what
can
_I_ do with this bug? Not much, I'm not that great of a programmer...
but I
think someone out there could do some nasty stuff.

--
Abe Getchell
me@xxxxxxxxxxxxxxx
https://abegetchell.com/


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, July 19, 2008 1:36 AM
To: 'me@xxxxxxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Windows Vista Power Management & Local Security Policy

Abe,

Other than a denial-of-service from the console (is the power
switch
now a security vuln, too?), what can you do with this bug? It's
absolutely, unquestionably a "bug"; the user should see behavior as
dictated by logic and described in the documentation, but a
"security
vulnerability"?

I think that's stretching things juuuuuust a bit.

Jim

-----Original Message-----
From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
Sent: Thursday, July 17, 2008 7:39 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Windows Vista Power Management & Local Security Policy

When the security option "Shutdown: Allow system to be shutdown
without
having to log on" (in the local security policy) is set to
"Disable",
and
the power management setting "When I press the power button" is set
to
"Shut
Down", it is possible for an unauthenticated user to press the
power
button
at the Windows logon screen and gracefully shutdown the system. The
explanation of this security option, taken from the local security
policy,
is as follows:

"Shutdown: Allow system to be shut down without having to log on

This security setting determines whether a computer can be shut
down
without
having to log on to Windows.

When this policy is enabled, the Shut Down command is available on
the
Windows logon screen.

When this policy is disabled, the option to shut down the computer
does
not
appear on the Windows logon screen. In this case, *users must be
able
to log
on to the computer successfully and have the Shut down the system
user
right
before they can perform a system shutdown*.

Default on workstations: Enabled.
Default on servers: Disabled."

Note the text between the asterisks. While this bug isn't
necessarily
a
software flaw allowing for an intrusion into the system in a
traditional
sense, it does set a bad precedence in that power management has a
free
pass
to bypass local security policy and perform actions expressly
against
the
defined policy. It appears that the only impact the use of this
security
option actually has is enabling or disabling the display of the
"power
button" on the Windows logon screen (locally only - this setting
has
no
affect on remote desktop connections - the "power button" is not
displayed
in either case), not actually preventing anyone from (gracefully)
shutting
down the system without logging in.

I reported this to the MSRC on 6/25/2008 and their stance was that
this
wasn't a security vulnerability, but was likely a bug, and was
passed
directly to the product team to investigate through their normal
bug
triage
process. After some back and forth, there was silence, and I let
them
know I
was going to release this information to the community.

This was tested on Windows Vista SP1 (32-bit).

--
Abe Getchell
me@xxxxxxxxxxxxxxx
https://abegetchell.com/




Relevant Pages