Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Alun Jones (alun@texis.com)
Date: 08/23/02


From: alun@texis.com (Alun Jones)
Date: Fri, 23 Aug 2002 00:43:19 GMT

In article <pan.2002.08.22.20.18.03.167536.1730@samsimpson.com>, Sam Simpson
<sam@samsimpson.com> wrote:
>a) Microsoft claims this is a "known feature" of Windows and not a
>particular flaw with Windows but rather a failing of the application. Of
>course, <SARCASM> it's easier to fix each and every application rather
>than produce an OS that supplies robust and secure primitives.</SARCASM>.

It's certainly something that I remember being strongly warned away from - if
you didn't start up on a user's desktop, in the user's process, then you
shouldn't be trying to access the desktop. Of course, now that it comes down
to it, I'm not able to find the warning in the MSDN, but that's not
surprising. I did find some notes that warrant posting in a March 1998 MSJ,
entitled "Why Do Certain Win32 Technologies Misbehave in Windows NT
Services?":

"Remember, make you service interactive only as a last resort. The best option
would be to create an interactive client application."

"So how do you get your service to display and obtain information from the
user? Write a client application for the user to launch. The client
application would display and obtain information from the user and then use
some sort of interprocess communication to send the information back to the
service."

"One last thing I want to discuss is that an interactive service is exposed to
interactive users, who can kill the service via the Task Manager if the
service has a top-level window. If you have a service running in the
LocalSystem account, the interactive user doesn't have the necessary security
to kill your process. Say you go into Task Manager and tab to the list of
processes. If you hit the End Process button for a process running in the
LocalSystem account, you'll get an "Access is denied" message box as expected.
But if this service has a top- level window, you can tab to the list of
applications in Task Manager. If you hit the End Task button, you can kill the
service through this exposed window."

So, let's see, we've got a "secured" service that, through making itself
interactive, can be terminated by any user that logs in to the desktop,
without any fancy-schmancy Shatter attacks. Woah, Nellie! That's not what
_I_ think of as secure. Who are we trusting to protect our systems? I don't
know that I trust McAfee any more.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.