Re: How to protect from LocalSystem privilege escaltion

From: Matt Scarborough (vexversa@verizon.net)
Date: 08/09/02 

From: Matt Scarborough <vexversa@verizon.net>
Date: Thu, 08 Aug 2002 22:51:41 +0000

Sorry, I misunderstood that you were concerned about the specific step-by-steps and
code used in the alleged VirusScan exploit. Still, I really do understand the
problems.

The first problem is the neglected prerequisite of uploading malicious code to the
victim. An executable file built to attack VirusScan that gained wide distribution
would be detected by VirusScan when it hit the file system --- before it was executed.

Malicious code uploaded to users' machines is the root problem there.

The next neglected prerequisite is tricking a victim with sufficient rights and
permissions into running malicious code. Have you been successful with the scenario
you describe against the Windows Services you describe as an ordinary User running on
Windows 2000? This includes obtaining the correct address within the victim address
space and writing your exploit code to it.

The third prerequisite is a buggy service running as LocalSystem. In VirusScan 4.5's
defense I do recall an option during setup to run its services as a user instead of
LocalSystem. 4.5.1 is surely near end-of-life(?)

To paraphrase the above, a successful attack against the Windows Services requires
getting malicious code to a privileged user and getting her to run it.

If I'm missing something that allows a restricted user to send shellcode to these
Windows Services, I am all eyes and ears. This could be the first in the last five
minutes I've been wrong about something. ;-)

Matt Scarborough 2002-08-08

On Thu, 8 Aug 2002 12:07:06 +0200, Christoph Kaminski wrote
<e#Y94MsPCHA.2696@tkmsftngp13>
> You do not see the scale of the problem. This is NOT a problem of a specific
> faulty service. Even services coded without any fault can be exploitet.
> It works the following way:
>
> prerequisite:
> -Service running with LocalSystems rights and permission to create Windows
> at the user desktop, e.g.: Secure Storage, printer spooler (and many more)
>
> Steps:
> -identify the window of the service at the desktop
> -send a window message to one of the input boxes of the service to allow
> arbitrary amount of data to be inserted
> -manually or programatically paste your exploit code into the input box,
> therby copying the exploit code into the adress space of the application
>
> Now comes the important an dangerous part:
> -send the window a WM_TIMER message with the approximate adress of your code
> as parameter
> Result: A thread out of the context of the service, therby runing in the
> security context of LocalSystem will execute your exploit code for example
> enabling administrative shell access or anything you like
>
> I think it is a serious issue and a design flaw.
>
> chriz.
> :
>
> "Matt Scarborough" <vexversa@verizon.net> schrieb im Newsbeitrag
> news:o873lu4lb5cirpphj8agec4hmtcu31hhv3@msnews.microsoft.com...
> > Disabling the services or setting the reg key is not necessary for the
> Windows
> > Services you ask about below because they do not have the alleged
> VirusScan problem.
> >
> > Matt Scarborough 2002-08-07
> >
> >
> > On Wed, 7 Aug 2002 19:56:11 +0200, Christoph Kaminski wrote
> > <OZuKUujPCHA.496@tkmsftngp09>
> > > First of all, thank you for you fast reply. Disabling the services or
> > > setting the reg key, would indeed prevent the exploitation of the
> > > vunerability. While contecting third party vendors is a solution, there
> are
> > > also windows services, that seem to rely on interaction with the user
> > > desktop. Disabling the photo service is no problem, but I found the
> > > following other windows services:
> > >
> > > -printer spooler
> > > -protected storage
> > > -IP6-to-IP4
> > > -run-as service
> > > -taskplaner
> > >
> > > also:
> > > -my smart card device (Chipdrive with Schlumberger security provider
> shiped
> > > with windows)
> > >
> > > While it would be possible to deaktivate some of the services, disabling
> the
> > > protected storage and the printer spooler would break a large portion of
> the
> > > windows funtionality. :(
> > > Is there any solution preventing that ?
> >
>

Relevant Pages

  • Re: How to protect from LocalSystem privilege escaltion
    ... > code used in the alleged VirusScan exploit. ... > you describe against the Windows Services you describe as an ordinary User ... > The third prerequisite is a buggy service running as LocalSystem. ...
    (microsoft.public.win2000.security)
  • Correcting operating version
    ... >The version of VirusScan that is installed on your ... Windows 98 to Windows ... I just fixed this on a computer running Windows XP Home, ... AOL Instant Messenger 5.5, and McAfee VirusScan 8. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: REPOST - XP programs dont recognize XP
    ... compatible programs as well as new XP version of VirusScan. ... Reinstalled all XP compatible programs/files ... Then it will check for previous Windows ... You choose to delete the partition and then format.The install ...
    (microsoft.public.windowsxp.newusers)
  • Re: XP HomeEdition users encounter intermittent problems.
    ... least) Windows 2000, Windows XP Home and Windows XP Pro with various ... versions of McAfee / VirusScan - and having read various other ... > Add/Remove Programs control panel - and then attempt a full uninstall ...
    (microsoft.public.windowsxp.security_admin)
  • Re: OE6 wont open cleanly
    ... After disabling the email scanning, ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Quantcast