flat assembler
Message board for the users of flat assembler.

Index > Heap > Privileges escalation in all NT-based Windows

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

In the link you are also provided with a workaround.
Post 20 Jan 2010, 16:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Thanks for forwarding.

Although with all the other currently known security holes that are being actively exploited now I think this one does not yet warrant a panic attack at the moment. But all the same I find no harm for me in disabling the VDM, I never use it anyway. And it follows the age old security advice: "If you don't need it don't enable it".
Post 20 Jan 2010, 16:37
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
revolution: it's pretty bad because it's around for all 32bit NT versions, and (apparently) allows full LUA->kernelmode privilege escalation. Of course privilege escalations are nowhere nearly as bad as remote exploits, but combined with the recent IE exploit...
Post 21 Jan 2010, 09:43
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
f0dder, how is it so bad? It's as "harmless" as exposing a terminal metastatic person to carcinogenic radiations.

Most people are still using XP, which is installed (even by "professionals") with the default administrator account, without any further configuration or creation of additional unprivileged user accounts. Just check every personal-use machine around you if you don't believe me. As for Vista and 7, most users are actually working at disabling/bypassing these safeguards they consider as annoying.
Malware don't even need to escalate privileges since the current user already has full privileges. They can use any of the years-old, not-yet-fixed (by Microsoft or the user) vulnerabilities to gain control of the entire system.

So no, I don't think it's such a big problem that security features that are *not* used to begin with are compromised.

Windows also comes with all services switched on, and most users don't know they exist at all, even less what they're used for, if they're needed and how to disable them. So like everything else, the security advice revolution mentioned can't work in most cases.

As for production systems, sysadmins would be complete idiots to run unknown, potentially malicious code and they'd deserve the consequences. Actually they'd deserve being shot.
Post 21 Jan 2010, 10:55
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
ManOfSteel wrote:
As for production systems, sysadmins would be complete idiots to run unknown, potentially malicious code and they'd deserve the consequences. Actually they'd deserve being shot.
The dangerous thing about privilege escalation isn't somebody "running unknown code" (as in launching a .exe manually), it's when the escalation is used in conjunction with a remote exploit that would only have given LUA privileges otherwise.

Yeah yeah, a lot of users are running admin-user XP or are moronic enough to disable UAC on Vista/Win7, but that doesn't mean a thing like this isn't pretty damn bad for the rest of us that actually care a bit about security.
Post 21 Jan 2010, 15:51
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

As for production systems, sysadmins would be complete idiots to run unknown, potentially malicious code and they'd deserve the consequences. Actually they'd deserve being shot.

Certainly, but what about workstation users that are supposed to be keep limited in their limited accounts and now they have this backdoor to bypass the limitations?

Cybercafes with the computers set with non-privileged accounts would also be vulnerable to a costumer installing spyware, maybe hack the program that counts the time used, etc.

Obviously this flaw affect a very short percentage of the computers running Windows because of the fact that them run with admin privileges all the time, but I don't think this flaw is unimportant to anybody.
Post 21 Jan 2010, 16:12
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
ManOfSteel wrote:
As for Vista and 7, most users are actually working at disabling/bypassing these safeguards they consider as annoying.
Because those "safeguards" are annoying and non-transparent. Why do you think so many people want to opt for "an anti-virus" instead? They don't want archaic, annoying security, they want automated, modern and non-obtrusive and transparent security -- like firewalls that prompt you only when an app changed/tries to access the net without prior permission, etc, sandboxes, etc. (obviously anti-viruses are more about business than security, but that was not my point... people still think they are good).

And I did disable all services that allow remote access to my machine.

Oh and the good thing with the sandbox is that it cures the "virus" in the machine (sandbox removal) instead of just letting it rot there but not being able to do a thing (no privileges).

_________________
Previously known as The_Grey_Beast
Post 21 Jan 2010, 16:48
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
f0dder wrote:
it's when the escalation is used in conjunction with a remote exploit that would only have given LUA privileges otherwise.

Obviously. And if firewalls are well configured and services are kept up to date, sysadmins will have enough time to close the hole. Chances are slim for a zero-day attack on every single component of the system at the same time (unless we're talking about a well-informed, state-level, Hollywoodian conspiracy). The outcome depends greatly on the sysadmins' competence. Doesn't it always?
Post 21 Jan 2010, 22:45
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
LocoDelAssembly wrote:
what about workstation users

Yeah, because they're all blackhats.
And let's suppose they are. They're probably looking for another user's files and could boot off a live CD. Sysadmins often overlook the BIOS and the possibility of booting off of alternative media.
The main reason sysadmins limit workstation users is to ease their maintenance work by preventing the installation of third-party applications or the modification of system-wide configuration.
And if you're talking about the 0.0001% just-fired, vengeful hackers, they're more likely to delete their own work files before leaving as an act of sabotage or mount a DDoS attack remotely or something.

LocoDelAssembly wrote:
Cybercafes

Most are a mess. They're not getting any messier now that one more Windows bug has been added to the pile.

LocoDelAssembly wrote:
costumer installing spyware

Where have you been living in the past decade? Spyware can steal/spy on the current user's files and usage behavior/history, and be loaded on every startup from the current user's startup directory or HKCU. No need for privilege escalation at all.
Post 21 Jan 2010, 23:02
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

Spyware can steal/spy on the current user's files and usage behavior/history, and be loaded on every startup from the current user's startup directory or HKCU.

This, provided that not extra permission settings are added to prevent that which of course is possible to do.

Quote:

Most are a mess. They're not getting any messier now that one more Windows bug has been added to the pile.

So, since most != all, this is still important to some people.

Quote:

Yeah, because they're all blackhats.
And let's suppose they are. They're probably looking for another user's files and could boot off a live CD. Sysadmins often overlook the BIOS and the possibility of booting off of alternative media.
The main reason sysadmins limit workstation users is to ease their maintenance work by preventing the installation of third-party applications or the modification of system-wide configuration.
And if you're talking about the 0.0001% just-fired, vengeful hackers, they're more likely to delete their own work files before leaving as an act of sabotage or mount a DDoS attack remotely or something.
Only one is enough, and could install a backdoor to still have access to the workstation after fired (for something else). Also, I don't understand the need for ultra expertise here, game cheaters are all proficient Assembly programmers and supra-expert reverse engineers? I think all it is needed is to download something already cooked by someone else...
Post 21 Jan 2010, 23:21
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Borsuc wrote:
Because those "safeguards" are annoying and non-transparent.

Security is always annoying. I'd love having no door to open/close when entering/leaving my dwelling!
Unfortunately (for you and the annoyed) proper computer security is not a 50/50 game. It's maybe 90% restrictions and 10% freedom. And when you're the one implementing security (not your tools, for you) and you understand how it works, you enjoy those 10% even more.
And yes "security" by obscurity is not security, but I don't see how LUA in itself is "security" by obscurity. It all depends on its design and implementation.

Borsuc wrote:
Why do you think so many people want to opt for "an anti-virus" instead

Because they're idiots? I'll summarize the point of my last post for you: security vulnerabilities are irrelevant for 99.99% of users because they're ignorant and careless idiots who don't understand or care about the implications.
So yeah, they can *feel* safe until the day they're bitten in the ass, they have their epiphany, realize how idiot they were and ditch their false gods.

Borsuc wrote:
they want automated, modern and non-obtrusive and transparent security -- like firewalls

... that they can't even configure properly beyond the few settings that are clickable. Even then, they still don't understand much about security concepts. It's like putting mentally retarded in a bunker and giving them the key.

Borsuc wrote:
obviously anti-viruses are more about business than security

They're about scam business and very bad security concepts. And what's more, they're completely losing the battle.

Borsuc wrote:
people still think they are good

Because they're ...
Post 21 Jan 2010, 23:28
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
LocoDelAssembly wrote:
This, provided that not extra permission settings are added to prevent that which of course is possible to do.

*Everything* bearing the sign of your ownership and permission is accessible and alterable by you... or anything "pretending" to be you, like a program (interpreted or binary) that was executed within your current session.
What extra permission can be added? Do you switch users every time you want to execute an application or access a set of files? Because if you don't, there's nothing preventing an *unprivileged* application from scanning all your files or browser history or any MRU, all day long, and sending reports in short, not-easily-detected bursts.
Only a well-configured firewall could block that and/or alert you, provided it has no vulnerability on its own.

LocoDelAssembly wrote:
could install a backdoor to still have access to the workstation after fired

So again we're not talking about privilege escalation. We're talking about no host and corporate firewall, or compromised or badly configured ones. Or outdated, compromised services. All that is easily fixed by a good sysadmin. But it probably wouldn't (or rarely) happen in the first place if the sysadmin was a good one.

LocoDelAssembly wrote:
I don't understand the need for ultra expertise here

Oh, you probably mean those script kiddies who install *games* such as SubSeven, BackOrifice and co.? I'd like to see more evidence of "normal" computer users writing breakthrough, stealthy backdoors/trojans/worms/rootkits. All those "precooked solutions" can be detected and removed within hours by good sysadmins. Keeping computer-related corporate interests safe is part of their job description after all.
Post 22 Jan 2010, 00:13
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

We're talking about no host and corporate firewall,

Something awaiting orders by connecting to an HTTP server periodically why should be detected by a corporate firewall? And the local firewall would be already subverted by the local privilege escalation.

Quote:

*Everything* bearing the sign of your ownership and permission is accessible and alterable by you... or anything "pretending" to be you,

Well, f0dder may probably extend more on this but yes, you can't change permission of your own things, Windows allows to do that, disallow the owner to change permissions.

Quote:
Only a well-configured firewall could block that and/or alert you, provided it has no vulnerability on its own.
And that firewall needs nothing subverting it like a well privilege escalation could do.

And once the "evil costumer" leaves the session could be automatically closed, which would kill all programs and because of the permissions thing I've said above the spyware could not start again (unless of course privilege escalation helped to forcefully install it).

Quote:
Oh, you probably mean those script kiddies who install *games* such as SubSeven, BackOrifice and co.? I'd like to see more evidence of "normal" computer users writing breakthrough, stealthy backdoors/trojans/worms/rootkits. All those "precooked solutions" can be detected and removed within hours by good sysadmins. Keeping computer-related corporate interests safe is part of their job description after all.
Why we have to assume that corporate network has only "normal" users? I agree that most pre-cooked things will be detected, but certainly there will be a window of time in which it will not be known by the detection tool of the sysadmin. There are some sophisticated Joanna Rutkowska-like things that will need to be detected off-line and even that would not be proof the computer itself is safe to use just because the workstation user was able to run a driver once but of course this scenario is too extreme.

I made myself clear earlier that this is important to *some* people, not all?
Post 22 Jan 2010, 00:49
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
So there's a way to prevent *me* from writing an entry to *my own HKCU* that allows the execution of code every time *I* log in? Didn't know that.

Why keep the spyware ON, when the users are gone [ <- unintentionally writing tech poetry hehe ]? Isn't the main objective of spyware, to spy on the users when they're actually doing something, i.e. are currently logged in? It's not like it can't do all its job during the session.


Yes, malware can compromise a local firewall if it can escalate privileges, but it won't necessarily do so unless it's specifically programmed to detect and compromise a particular brand.

Plus, you're counting on the corporate firewall allowing HTTP traffic, and allowing it to and from that specific machine, which may or may not be true. Remove these conditions and the malware fails. Have it use any exotic port/protocol or have a sneaky behavior and it will fail. The malware may probe the gateway for open ports on egress, but a well-configured firewall should detect and/or block all that. The firewall may only allow scanning from one IP address, that of the sysadmin's laptop. The malware fails. On its first slip, it gets detected and busted. If the sysadmin suspects anything is wrong, he can analyze the network traffic or simply read firewall logs, which can contain *any* type of allowed or blocked connection, from and to any source or destination. It's a good practice to do that routinely, ... like everyday.
In other words, the malware can only work if it's an inside job, done by an experienced person who knows about the company's network functioning, structure and rules. And it will only work for some time before a sysadmin finds it and removes it, and the culprit is sent to jail.


If you check my very first post, you can see I never used the word "all" and I said "most people/users".
Post 22 Jan 2010, 01:37
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
So there's a way to prevent *me* from writing an entry to *my own HKCU* that allows the execution of code every time *I* log in? Didn't know that.

Well, I have to investigate this further because contrary to file permissions, I don't see the item "change permissions" in "Effective permissions" tab. f0dder, could you shed some light on this? Smile

Quote:

Why keep the spyware ON, when the users are gone [ <- unintentionally writing tech poetry hehe ]? Isn't the main objective of spyware, to spy on the users when they're actually doing something, i.e. are currently logged in? It's not like it can't do all its job during the session.
Because, if when the user leaves and a new one comes in (remember we are talking about cybercafe scenario here), the new one could be spied by the previous costumer. However, if the billing software also logs out the station once the costumer leaves then the next one is not affected unless the spyware managed to install in such a way that it will be fired at session start-up.

Quote:

Yes, malware can compromise a local firewall if it can escalate privileges, but it won't necessarily do so unless it's specifically programmed to detect and compromise a particular brand.
I don't see why some couldn't. Besides, it could install some driver so the firewall itself could not even see the new "application".

Quote:
Plus, you're counting on the corporate firewall allowing HTTP traffic,
Which is very much usual to be open than any other else (typically proxied though, but yet not an issue)

Quote:

If you check my very first post, you can see I never used the word "all" and I said "most people/users".

But you seem to insist that this flaw is completely unimportant because of that fact when actually some people gets its security diminished because of this.
Post 22 Jan 2010, 02:38
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Ok, I've tried it myself. I followed the steps here: http://www.ghacks.net/2008/03/12/windows-tip-edit-user-registry-of-other-users/ (Read the comments, the steps were extracted from there).

Then I've denied all permissions to \Software\Microsoft\Windows\CurrentVersion\Run but "query value", "enum subkeys" and "notify" (I'm guessing the English names for those permissions, my XP is Spanish). After doing that I wasn't able to change permissions with regedit from the modified account. I'm denied because regedit says it cannot list the permissions BUT I can still modify them. However, after adding permissions for full access then a MessageBox appears telling me that access to change "run" permissions is denied.

Not sure if the key is really protected though, perhaps it could be still possible to perform changes with some programming instead of using just regedit.

Another trick could be changing ownership to a third account and make the legitimate user as part of the ACL, that way it could access the key for being part of the group, but the user won't be allowed to change the key because it doesn't own it anymore.

[edit]You can actually commit suicide in some keys like Run by disabling yourself "Write DAC (or ACL in English version?)" and "Write owner" (but since I've disabled only that I was still able to create keys and read/write and delete the key). With that I wasn't able to change permissions anymore despite I have access normal access to the permissions dialog instead of not being able to see nothing like before. However, for keys like \Software\Microsoft\Windows\Shell\BagMRU doing that wasn't enough, I can't prevent myself from modifying permissions even if I deny all permissions (and I don't even get the regedit error I've said above).[/edit]
Post 22 Jan 2010, 03:17
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
LocoDelAssembly wrote:
Because, if when the user leaves and a new one comes in (remember we are talking about cybercafe scenario here), the new one could be spied by the previous costumer. However, if the billing software also logs out the station once the costumer leaves then the next one is not affected unless the spyware managed to install in such a way that it will be fired at session start-up.

Okay, so only one user is being spied on. Does it make it any better? The user was spied on, the behavior was tracked, the data was stolen. And the user will still be a victim of the spyware every time he uses his account.
And nothing says subsequent users won't fall into the same trap as the previous one fell into. When a malware epidemic starts, many systems get infected worldwide within days or weeks. Should I give examples of the most famous (and often tragicomic) ones between 2000 and 2009?
Also, services such as social networking websites have been compromised and used as spreading media and as "logistical bases" more than once in the past and virtually everyone today has an account on one or another and uses it on a daily basis in public access points such as cybercafes, schools, universities, airports, etc. What's even worse is that many of these access points have single "guest" accounts for ease of maintenance and shortage of storage space, thus widening the extent of the damage.


LocoDelAssembly wrote:
I don't see why some couldn't. Besides, it could install some driver so the firewall itself could not even see the new "application".

I never said it couldn't and such a thing has already been done years ago for the most popular AVs for example.

I'm just saying it has to target a particular brand of firewall if it's an insider job, or every single brand available on the market otherwise. It may also have to take account of possible custom versions for specific corporations.

About the driver thing, you're supposing the firewall is a strictly application-layer one (OSI layer 7). Network-layer (OSI layer 3) packet filters only care about packets coming in and going out. The "driver" can hide the malware all it wants, the packets are still getting intercepted, blocked and reported. Unless the malware can, once again, target that specific brand (which may very well be customized).

And it still has no way to compromise the corporate firewall unless it successfully exploits a vulnerability in it.

Do you realize the odds here?


LocoDelAssembly wrote:
Which is very much usual to be open than any other else (typically proxied though, but yet not an issue)

We're talking about workstations here. The corporation may not even have open HTTP ports. Web browsing may be blocked on all levels of firewalling. Any corporation that handles sensitive data will *definitely* physically separate the Internet, extranet and intranet access, or at the very least strictly filter all communication on a department level with a router-firewall.


LocoDelAssembly wrote:
But you seem to insist that this flaw is completely unimportant because of that fact when actually some people gets its security diminished because of this.

Don't take what I say out of context. I explicitly said it is unimportant... for most users. I was obviously excluding the *few* who do care about it because they implement privilege separation. In this thread alone, I'm not sure all participants actually implement and care about it, and we're on a technical forum. Make a poll and ask people on the street or on the most popular forums. I'm confident the results will be near this:
Code:
o My OS implements LUA by default [          ] 0%
o I implement LUA myself          [          ] 0%
o I don't implement LUA           [          ] 0%
o WTF are you talking about       [||||||||||] 100%
    



LocoDelAssembly wrote:
Ok, I've tried it myself.

Very well. It can be done. Have you seen it applied anywhere? I haven't and I'm curious how many sysadmins are even aware this is possible.
Post 22 Jan 2010, 12:40
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:


Okay, so only one user is being spied on. Does it make it any better? The user was spied on, the behavior was tracked, the data was stolen. And the user will still be a victim of the spyware every time he uses his account.
And nothing says subsequent users won't fall into the same trap as the previous one fell into.

The context was that the first one is the "evil costumer" that attempts to spy anybody else by self installing a spyware. However, with a appropriate registry and file protections, once the station is logged off the spyware would be gone. If the first user is also a victim because (s)he downloaded spyware accidentally then yes it is a problem and it would be a much bigger one if it can escalate privileges to install permanently.

Also, thanks to the privilege escalation you would have green light to install rootkits which are harder to detect than just looking into the registry to see if there is something new. (This part applies to both cybercafes and corporations)

Quote:
About the driver thing, you're supposing the firewall is a strictly application-layer one (OSI layer 7). Network-layer (OSI layer 3) packet filters only care about packets coming in and going out. The "driver" can hide the malware all it wants, the packets are still getting intercepted, blocked and reported. Unless the malware can, once again, target that specific brand (which may very well be customized).

So, the Layer-3 part of the firewall will block TCP port 80 traffic despite it allows it for Firefox? And if it makes stateful packet inspection at that level you can of course continue with the plan of using non-suspicious HTTP protocol in the traffic.

Quote:
Don't take what I say out of context. I explicitly said it is unimportant... for most users. I was obviously excluding the *few* who do care about it because they implement privilege separation.
Sorry for the misunderstanding.
Post 22 Jan 2010, 15:53
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Something that just came to my mind: How many firewalls detect injected threads in user approved applications? I see that limited accounts can debug its own opened applications. Any way to limit that?
Post 22 Jan 2010, 16:12
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
LocoDelAssembly wrote:
Something that just came to my mind: How many firewalls detect injected threads in user approved applications? I see that limited accounts can debug its own opened applications. Any way to limit that?
Some HIPS monitor for (and/or blocks) "suspicious behavior" - including thread injection, stuff like writing to executables (especially if executing them afterwards; ThreatFire didn't like fSekrit), etc.

Been a while since I've ran any malware protection, so I dunno what's being detected today, or how it's done... a whole bunch of protections would, afaik, require kernel patching and thus aren't doable on x64.

_________________
Image - carpe noctem
Post 22 Jan 2010, 16:24
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.