OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Paget (ivegotta_at_TOMBOM.CO.UK)
Date: Thu Aug 08 2002 - 09:28:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    >Someone else pointed out that the right way to design an application
    >that needs both a UI and admin-level rights is to split it into two
    >parts: The trusted part and the non-trusted part. The non-trusted
    >part takes care of the GUI and uses an API like sockets or pipes to
    >talk to the service that's got admin rights.

    Let me point out some other attacks you can use these techniques for,
    so that you understand fully what I'm saying here.

    The scenario: A user has a Windows 2000 box running a personal
    firewall. The firewall only "trusts" Internet Explorer to access the
    Internet.

    Somehow or other, some malicious code gets onto the system. It fires
    up an IE window, and makes it invisible. It injects a DDoS client (or
    whatever) into IE, using exactly the same technique described in my
    paper. That malicious code within IE then accesses the network
    freely, since the personal firewall can't tell the difference. It
    could even send out its traffic as legitimate HTTP requests, so that
    it is more or less untraceable.

    Alternatively, the malicious code could inject itself into the admin
    tool for the personal firewall. Since the firewall is "well designed"
    and doesn't run as localsystem, the malicious code can't elevate its
    privileges. It can, however, add itself to the list of "trusted"
    applications and then do what it likes.

    Would you regard that as a vulnerability? I certainly would.

    How about applications that restrict their UI based on what privileges
    a user has? The app loads, checks privs, and disables certain
    buttons. You send those buttons a message to enable them, and voila -
    you can access those functions.

    Yes, I agree that localsystem windows running on the desktop are not
    necessarily a good idea. My two arguments though, are that 1) The OS
    should be able to cope with something like that, and 2) MICROSOFT DO
    THE SAME THING. There are numerous windows on a standard desktop that
    are localsystem, and hidden - the DDE server for example. Just
    because you can't see a window doesn't mean you can't break into it.

    I'm actually in the process of writing an exploit for one such window
    - no detail though until MS have had a chance to respond. Suffice it
    to say, I can now shatter my way to LocalSystem privileges using a
    guest account on a default install of Win2K, all service packs, all
    hotfixes. Rest assured, details will be forthcoming, but I shouldn't
    and won't say anything more yet.

    Chris 

    -- 
Chris Paget
ivegottatombom.co.uk