flat assembler
Message board for the users of flat assembler.

Index > Heap > Privileges escalation in all NT-based Windows

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
ManOfSteel wrote:
Security is always annoying. I'd love having no door to open/close when entering/leaving my dwelling!
Unfortunately (for you and the annoyed) proper computer security is not a 50/50 game. It's maybe 90% restrictions and 10% freedom. And when you're the one implementing security (not your tools, for you) and you understand how it works, you enjoy those 10% even more.
And yes "security" by obscurity is not security, but I don't see how LUA in itself is "security" by obscurity. It all depends on its design and implementation.
But you can always make the annoying more pleasant by making it transparent and as automated as possible. Straightforward security like sandboxes and firewalls are examples. You know, some things do improve.

ManOfSteel wrote:
Because they're idiots? I'll summarize the point of my last post for you: security vulnerabilities are irrelevant for 99.99% of users because they're ignorant and careless idiots who don't understand or care about the implications.
Careful what you say, i was merely implying demand. People DEMAND easy security, and obviously companies deliver with anti-viruses -- might not be very efficient security-wise, but they are still at least automated.

I hate anti-viruses as much as the UAC, mind you. I prefer the 'middle' solution: light and intuitive. Sandbox+Firewall.

ManOfSteel wrote:
... that they can't even configure properly beyond the few settings that are clickable. Even then, they still don't understand much about security concepts. It's like putting mentally retarded in a bunker and giving them the key.
Why do you have a problem if others (the firewall devs) are trying to make it easy to use? More precisely, why do you want to stick with the archaic hard-to-use concepts forever?

No, fully automatic and clueless people will not lead to a safe system, but it's not necessary anymore to "do it the hard way". Most firewalls come pre-configured with very good settings (and please don't start with 'exceptional' situations, I'm talking about average desktop use...) that prompt you when major breaches are suspected. Port forwarding is a snap, a few clicks. Allowing certain apps access, a few clicks too.

One thing I hate is automated response when major breaches are suspected -- I very much prefer to be informed and click "Allow" or "Disallow". But beyond that, automatic FTW.

ManOfSteel wrote:
Because they're ...
Again, I was talking about demand. This isn't an opinion, it's a fact.

_________________
Previously known as The_Grey_Beast
Post 22 Jan 2010, 17:42
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
f0dder wrote:
Been a while since I've ran any malware protection, so I dunno what's being detected today, or how it's done... a whole bunch of protections would, afaik, require kernel patching and thus aren't doable on x64.
It's why it sucks for me, i can't use my sandbox Sad

_________________
Previously known as The_Grey_Beast
Post 22 Jan 2010, 17:48
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc wrote:
f0dder wrote:
Been a while since I've ran any malware protection, so I dunno what's being detected today, or how it's done... a whole bunch of protections would, afaik, require kernel patching and thus aren't doable on x64.
It's why it sucks for me, i can't use my sandbox Sad
SandboxIE has (finally) been releases for x64... not with all of the 32bit version's features, though.

Sandboxing is a good idea, but you can't rule out the risk of out-of-the-box exploits are discovered (the more popular the sandbox, the more likely to be targetted - dunno if any of the generic exploits have attempted it, though). Heck, even full-blown virtual machines have had break-out holes (dunno if they have been exploited, but I've seen at least one vmware bugfix changelog mentioning possibility of break-out).

_________________
Image - carpe noctem
Post 22 Jan 2010, 17:56
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
LocoDelAssembly wrote:
So, the Layer-3 part of the firewall will block TCP port 80 traffic despite it allows it for Firefox?

It will block all packets using proto TCP port 80. Depending on the Internet/extranet/intranet separation, it may allow HTTP traffic to/from the intranet website and block everything else. Or it may simply block everything. Firefox will return something like "no route", "routing error", "cannot connect to remote server", or something like that. I don't know the exact message since I don't use Firefox.
Post 22 Jan 2010, 18:16
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
ManOfSteel wrote:
LocoDelAssembly wrote:
So, the Layer-3 part of the firewall will block TCP port 80 traffic despite it allows it for Firefox?

It will block all packets using proto TCP port 80. Depending on the Internet/extranet/intranet separation, it may allow HTTP traffic to/from the intranet website and block everything else. Or it may simply block everything. Firefox will return something like "no route", "routing error", "cannot connect to remote server", or something like that. I don't know the exact message since I don't use Firefox.
Most normal workplaces allow outgoing HTTP traffic, though, and if they limit available sites it's usually through black- rather than white-listing... it's hard for a firewall to determine what traffic is legitimate and which isn't (there's heuristics and signatures, but that might not catch 0day stuff). And if the connection is made through SSL, there isn't really much a non-HIPS firewall can do Smile

Anyway, the exploit that this thread was originally about is pretty interesting - I can see how it has gone missed, it's not exactly your every run-of-the-mill buffer overflow.

_________________
Image - carpe noctem
Post 22 Jan 2010, 19:30
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Borsuc, security implementation, just like any system configuration, may be completely transparent depending on the system you're using and whether you are the one doing the implementation or you're relying on tools.
And yes, for *me* it's pleasant if you ask me. But please, don't even try to convince me implementing real, robust security can be pleasant for your average Joe. It is I.M.P.O.S.S.I.B.L.E. Semblance of security OTOH can be "easy", "pleasant", "intuitive", yes, maybe...

I've already told you what I think of firewalls with a few clickable settings. A few "your computer is safe", "block this" and "allow that" are so, very useful for all these users who don't even know what a port or protocol is.
What they don't know is that the firewall didn't just drop the packets but has closed the connection, violated stealth and indirectly told the attackers they found a potential, protected, and therefore interesting target. Users will be as happy and ignorant as before while their machine is being paranoid-scanned, OS-footprinted, firewall-probed, before the attackers find a vulnerability somewhere and exploit it.
As for the different user-friendly action prompts, users will just randomly click yes/no, block/allow, etc. I've seen it so many times I'm tired and sick of it. Can I expect more from people who will click a URL/image saying "The Windows Anti-Virus Solution, click here to download!" and get infected with the latest malware-scam?

If it's "as automated as possible", then you don't understand exactly (or at all) what's happening since the system/tool is doing it for you. It becomes non-transparent defacto. It's not like you're the one coding the routines that implement security. You're contradicting yourself.

Furthermore, there is no such a thing as easy security. Networking and computer security is one of the most intricate subjects in modern technology. It cannot possibly be made easy. It takes years to grasp the concepts and a lifetime to master them. I don't know if you even comprehend the stupidity of your claims. If you talked to security experts and competent sysadmins, they would laugh their asses off so much they'd need defibrillation instantly.
Post 22 Jan 2010, 19:41
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
You see, there's nothing wrong with denying an app access to the net. Even if it was legitimate (i.e not malware). I do it 90% of the time. The only time I don't do it is when I know it needs a network feature and i use it at that time (such as when I type an URL and click enter... Wink). Furthermore, if it gets modified, the hash checksum(s) will fail in the firewalls and it will tell you that it changed when it tries to access the net, even if allowed previously. If I know I updated it I click yes, otherwise absolutely no, then go and delete the sandbox.

ManOfSteel wrote:
before the attackers find a vulnerability somewhere and exploit it.
such as?

Remember: no remote control, no server examples, and no "open ports" unless I'm running a specific app which uses them (and that's usually either just the browser or a video game, both in a sandbox...) -- the firewall works per-app basis, not port-basis. (even though I can do sub-configure ports for the apps individually).

And obviously I have to repeat no ability for remote access. You can't exploit what it is not available (since I uninstalled those services).

_________________
Previously known as The_Grey_Beast
Post 22 Jan 2010, 20:11
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
OK, this bug won't be exploitable via arbitrary code execution in IE because it is now fixed: http://blogs.zdnet.com/security/?p=5324

The stupid bastards did know about this since August and in the meantime it affected some people before it was publicly known. How much I hate when they do that Evil or Very Mad
Post 22 Jan 2010, 21:16
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Borsuc: it takes something to break a setup like that... first you need a way in at all (web browser being the most likely target), then you need to break out of the sandbox (might or might not be possible), and finally you need to subvert the firewall (probably not too hard if you broke the other two parts - you might have image checksums, but that's on-disk).

Not immune to targeted attacks, but probably not very likely that a generic automated attack contains breaks for all that Smile
Post 23 Jan 2010, 09:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
OK, this bug won't be exploitable via arbitrary code execution in IE because it is now fixed: http://blogs.zdnet.com/security/?p=5324
Or, at least, it won't be exploitable by that particular previously known bug. But it may still be exploitable by another, as yet unpublicised, bug.
Post 24 Jan 2010, 02:07
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
It seems this flaw is going to be fixed in this months round of updates.

http://www.physorg.com/news184833289.html
Post 08 Feb 2010, 12:14
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Really, who uses untrusted DOS software anyway? Razz

_________________
Previously known as The_Grey_Beast
Post 08 Feb 2010, 21:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Borsuc wrote:
Really, who uses untrusted DOS software anyway? Razz
The hackers use it. That is why we have the VDM, so that the hackers can break into our computers and steal our banking passwords.
Post 08 Feb 2010, 22:37
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
revolution wrote:
Borsuc wrote:
Really, who uses untrusted DOS software anyway? Razz
The hackers use it. That is why we have the VDM, so that the hackers can break into our computers and steal our banking passwords.
Very Happy Razz Wink

_________________
Image - carpe noctem
Post 09 Feb 2010, 06:18
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.