Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Alun Jones (
Date: 08/23/02

From: (Alun Jones)
Date: Fri, 23 Aug 2002 00:43:19 GMT

In article <>, Sam Simpson
<> wrote:
>a) Microsoft claims this is a "known feature" of Windows and not a
>particular flaw with Windows but rather a failing of the application. Of
>course, <SARCASM> it's easier to fix each and every application rather
>than produce an OS that supplies robust and secure primitives.</SARCASM>.

It's certainly something that I remember being strongly warned away from - if
you didn't start up on a user's desktop, in the user's process, then you
shouldn't be trying to access the desktop. Of course, now that it comes down
to it, I'm not able to find the warning in the MSDN, but that's not
surprising. I did find some notes that warrant posting in a March 1998 MSJ,
entitled "Why Do Certain Win32 Technologies Misbehave in Windows NT

"Remember, make you service interactive only as a last resort. The best option
would be to create an interactive client application."

"So how do you get your service to display and obtain information from the
user? Write a client application for the user to launch. The client
application would display and obtain information from the user and then use
some sort of interprocess communication to send the information back to the

"One last thing I want to discuss is that an interactive service is exposed to
interactive users, who can kill the service via the Task Manager if the
service has a top-level window. If you have a service running in the
LocalSystem account, the interactive user doesn't have the necessary security
to kill your process. Say you go into Task Manager and tab to the list of
processes. If you hit the End Process button for a process running in the
LocalSystem account, you'll get an "Access is denied" message box as expected.
But if this service has a top- level window, you can tab to the list of
applications in Task Manager. If you hit the End Task button, you can kill the
service through this exposed window."

So, let's see, we've got a "secured" service that, through making itself
interactive, can be terminated by any user that logs in to the desktop,
without any fancy-schmancy Shatter attacks. Woah, Nellie! That's not what
_I_ think of as secure. Who are we trusting to protect our systems? I don't
know that I trust McAfee any more.


[Please don't email posters, if a Usenet response is appropriate.]

Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | or email
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

Relevant Pages

  • Re: DirectDBNotifyWndProc
    ... If you believe the issue is caused by HP's task manager, try uninstalling it or disbaling it if you can to see if it clears it up. ... I really wonder if anybody got irritated by my comments on Windows Defender ... Whenever it runs at the taskbar, ... Upon connection the PopUp window that says "Connected to xxx ...
  • Re: Shut down in Task Manager
    ... If using Classic Logon the Task Manager will not show the Shut Down menu. ... MS-MVP Windows Shell/User ... MD FACS hunted and pecked: ...
  • Re: looking for logfile of programs that were started during system start - confusion with inter
    ... You didn't mention your Windows version, ... tools and utilities that are not included by default in the Home edition. ... I just tried Start> Run> msconfig ... Generally speaking the start order in Task Manager is from the bottom up, ...
  • Re: Task manager window - problem
    ... Task Manager Shut Down disabled ... [[Prevents users from shutting down or restarting Windows. ... Determines whether the Shutdown button in the Log On to Windows dialog box ... Operating system is of course Windows XP sp2 - if you know something ...
  • Re: At Bootup Computer Pauses
    ... Try Ctrl+Alt+Delete to select Task Manager and click the Performance ... Also look for Error Reports in the System log in Event Viewer. ... View and Manage Event Logs in Event Viewer in Windows XP ... DCOM got an error "The service cannot be started, ...