Shattering Windows 965
ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."
Fixability (Score:4, Interesting)
Devil's Advocate... (Score:2, Interesting)
Simple fix: require each user to wear a straightjacket with their legs and arms bound to the chair; have them type via the mouth-to-pencil-to-keyboard method.
There is advantages... (Score:3, Interesting)
You can make a program that can take any window on your screen, study it, and use it. Imagine the testing possibilites. I think WinRunner and Rational Robot both use message hooks in order to run their regression testing utilities.
Is there anything like that in linux? AskSlashdot [slashdot.org] encountered someone trying to find this...
the basic problem (Score:3, Interesting)
Q: I understand security was not your original calling, so to speak.
A: I'm a lawyer by training, so I'm a little bit like a fish out of water, although I'm more technical than most lawyers. I started my career as a prosecutor in Bronx County, New York. Then I joined the feds and went to Honolulu for three years. So, I haven't exactly had the normal career path. But it's been a very interesting ride.
So what exactly qualifies this guy to be a security guru, let alone THE HEAD of security at the software company that sells the most widely used OS on the planet?
If you ask me, I find that frightening.
I've said it here before a zillion times over the years and I'll say it again. Nearly every problem in the software industry today can be traced back to handing over an engineer's job to a non-engineer.
True- if you take a company of nothing but engineers, you'll have a product nobody understands how to use, and nobody can sell. But if you have a company of nothing but MBA's and Lawyers, you have a company that sells nothing but a lot of vapor and hype. This is the personification of Microsoft.
Re:Security from the ground up. (Score:3, Interesting)
"In order to avoid this problem, we are restricting running code to ONLY applications that are signed by Microsoft, or signed by a Microsoft-granted key."
How many open-source projects will run out and get one of these keys?
Re:Take control? (Score:2, Interesting)
Get back under your bridge.
Re:Security from the ground up. (Score:4, Interesting)
I'm sure that good open source developers are responsible enough to apply for a key. The real question is, will an non profit open source project be allowed to get a key, or will Redmond only talk to companies that can wave some cold hard cash in their direction? $50,000 for a application key sounds like a profitable business plan to me.
Re:Is this really a security risk? (Score:3, Interesting)
My point is that there doesn't have to be any user interaction at all, and that the program can determine which windows have a higher priority and escalate their privledges via this exploit. Also, it's not all that difficult anyways to just iterate through all the toplevel windows in the system (via the EnumWindows function) and check them that way instead of using WindowFromPoint.
Re:Don't Do That (Score:2, Interesting)
Anyone have any links or posts describing the issue would be appreciated.
Have local access? Try Locksmith. (Score:4, Interesting)
The method in the article seems like a lot of trouble.
This software provides you a new administrator password: Locksmith. [winternals.com]
Re:Don't Do That (Score:2, Interesting)
Re:Fixability (Score:3, Interesting)
Correct me if I'm wrong but I'm pretty sure that PostMessage puts a message on the queue whereas SendMessage skips the queue and gets handled straight by the application without examination. Of course, an application could handle every message but in practice 99% of applications will leave the default windows handling of most messages. (Handling all manually is not feasible).
cap the WPARAM at some small value
I think you misunderstand that. WPARAM is a fixed size double word (4 bytes). The problems is that it is often used as a pointer to a memory location. Obviously, you can't cap the target of a pointer since no information is possed in the length
Most applications won't use the callback feature of WM_TIMER anyway
AFAIK, if you don't handle the callback feature (99% of apps), you get the default handling which is to execute the code as the article describes
Re:Security from the ground up. (Score:5, Interesting)
They are not security measures. They are control measures that can provide security only as a by-product and only to the extent that security can be provided by mandating a single source policy.
Palladium is designed to guard against this exact kind of attack.
No. Palladium is designed to take away general purpose computing from the public.
I liked Microsoft's response to him- his "attack" already requires that 2 of the top 10 security requirements be violated. Guess what? If somebody has physical access to your FreeBSD machine, they can root you also.
Physical access is not the point; the point is that in Windows, any program can elevate its privileges if any higher-privileged program is has any windows on the desktop, visible or not.
A program that is ran as a non-privileged user on my FreeBSD machine is certainly not supposed to be able to raise its privileges, under any circumstances. If it can, it's considered a bug, and rightly so.
In Windows, the distinction between physical access and untrusted programs does not exist and the boundary between programs is not sufficient to enforce different privilege levels if they both use the desktop.
It now also becomes perfectly understandable why they want to treat the person with local access, even if that's the owner, with the same level of trust as any program running on it: none whatsoever. Simply because Windows can't make the distinction, by design. Sadly, it also means that the owner of the computer is not anymore in control either.
It just proves the point that all versions of Windows are essentially still single-user operating systems.
Re:Oh really? (Score:2, Interesting)
Re:Security from the ground up. (Score:2, Interesting)
You cant have it both ways. You can't complain about Microsoft's lack of security, and then whine when they decide to implement security measures. Palladium is designed to guard against this exact kind of attack. His 'shatter' application would be prevented from accessing the memory of the VirusScan.
Clearly, the Slashdot crowd does not object to Palladium because it's secure, we object to Palladium because it's a standard MS ploy to make themselves the standard.
Because we object to thing A does not mean we have to accept everything that isn't A.
Re:It's not even this hard (Score:3, Interesting)
Oh I agree. I don't think fixing this would provide much 'security' anyway. The main reason that Windows gets beat up by trojans is not so much flaws in the system, but clever ways of executing features in malicious ways. The problem is never ending. The more features you add to any product (not just computers), the more ways you have of exploiting them in a negative way.
Look at Slashdot. Lots of steps (such as filtering the HTML...) are taken to keep trolling to a minimum. But, they still get through. As a matter of fact, somebody recently posted the Goatse pic in ascii. Heh.
The best approach you can take towards 'security' is to make the worst case scenario cause minimal damage. That's essentially what Slashdot has done with the karma system. People are always going to come up with amusing ways to use
In an ideal world posting a rule saying 'Dont post notti pictures' would be the end of it. In the real world, people think the problem should be solved by making the system incapable of displaying notti pictures. The best thing to do is to make the display of 'notti' pictures as unthreatening as possible.
How do you rescind acceptance of the EULA? (Score:4, Interesting)
I'm asking a legal question: does removal of the software constitute rescinding your agreement? Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?
Re:Security from the ground up. (Score:3, Interesting)
You mean like checking the 'Supported Hardware' list before installing a Linux distro?
I think its pretty much accepted that the Unix community ingored security until the Morris worm in 1988- it was not designed with security at its core. Most people would also consider most *nix variants today fairly secure.
Re:Don't Do That (Score:4, Interesting)
Isn't this precisely the set of programs that need to be broken, so they don't allow root?
Re:Yes, but who's fault is it? Not MS'! (Score:4, Interesting)
Re:Don't Do That (Score:5, Interesting)
Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.
sprintf() _is_ safe. (Score:4, Interesting)
You're wrong here. You absolutely can limit field sizes with sprintf().
char buf [8];
sprintf (buf, "%-.3sTEXT", "1234567890");
will write "123TEXT\0" into buf and nothing more. In this case it is always safe to have the buffer be 3+4+1 == 8 bytes in size. It's the responsibility of the programmer to use this. It's not just a feature, it's a MUST if you process input of unknown length.
You can't blame the library if programmers act stupid and produce unsafe code. And this is different from the Windows misconception in the article, since you'd need to patch the format string here first to be able to exploit this in any way. On the other hand, if you already have right to change code of an SUID binary, you don't need an exploit anymore. :-)
And, btw, nobody needs gets() anyway. There's fgets() which even has the advantage that you can redirect the input stream your subroutine (you're using subroutines, aren't you?) is going to read from.
Re:Take control? (Score:3, Interesting)
your first mistake was using a kernel-privileged web server (IIS).
I was developing the filter, and in its early stages, it had memory leaks, dangling pointers, double free()s, etc.
your second mistake was writing bad code.
but i'll agree that writing bad code shouldn't crash the OS. but when you're developing on windows, that's the modus operandi (sp?). but who am i to kvetch? i learned my C code on UNIX, where i got segmentation faults, bus errors, all kinds of evil crap, and the program terminated, and the OS chugged along.
but try playing a bit with framebuffer programming on linux, and see how fast you bring down the OS
Ignorance is Strength? (Score:1, Interesting)
Re:Don't Do That (Score:3, Interesting)
Sure about that? What if it runs on a system where an int is 128 bits? If your answer is "that will never happen", consider that that same logic led to billions of dollars spent fixing Y2K bugs.
yet you want to have me replace it with an ugly mess of seperate calls
snprintf(strVal, 120, "val is: %d (decimal), %x (hex), %o (octal)", val1, val1, val1 );
It would help if the author understood windows... (Score:2, Interesting)
Like GTK (Score:3, Interesting)
Given the huge outcry about GTK+, I'm impressed that MS has had the same flaw, but for so much longer, with no one talking about it.
Re:How do you rescind acceptance of the EULA? (Score:4, Interesting)
Is Microsoft damaged if you use their products to steal music? No, unless Microsoft gets sued by RIAA for providing software that facilitates your violation of copyright and then loses, after which they'll come after you in an action for indemnity. Until then, Microsoft isn't going to get anything from you in a courtroom because you haven't caused them any damage at all - and that means until RIAA and the MPAA sue Microsoft, you don't have anything to worry about.
What about wine? (Score:1, Interesting)
Wine (as in "Wine Is Not an Emulator")?
If so does it mean wine is a vulnerability in
linux?
This is the Win32 version of SUID vulerability (Score:3, Interesting)
Knowing what this guy brought up in his paper, it seems a lot more obvious why you are NOT SUPPOSED TO INTERACT WITH THE DESKTOP AS "SYSTEM" if you are running as a service. This has been common knowledge among Win32 programmers for a LONG time.
The UNIX model has some exploits to which Windows is immune, due to structural/design differences. And the reverse is just as true. If you don't understand the security practices required on your platform of choice, you shouldn't be programming apps on systems that need to be secure.
Re:Pot, meet kettle (Score:3, Interesting)
The warning comes from a 23 year old "genius" who describes himself as knowing a couple hundred languages on x different platforms and capable of learning any new language in 3 days, but who doesn't know that this "issue" has been known for years, and isn't a security flaw in windows, but in the application software (in this case, viruscan).
The same flaw (letting a process that runs at system level interact directly with the desktop, against warnings in MS docs never to do that), also exists in HP printer drivers (to name just an example), and is a thousand times more easily exploitable there -- all you need is physical access to the machine.
I'm including a description below. This made me raging mad at HP a few years ago and is the reason why I'm forbidding the use of HP printers anywhere in the company.
After being sent from phone to phone when I reported it, when I finally reached someone who understood what I was talking about after having talked to support people in 3 different countries, it appeared that (a) HP was aware of the issue and (b) they found fixing it to be too much of a hassle, since there was an easy workaround: disable bidirectional support on the parallel port, so the driver can't detect printer errors.
That guy actually made it sound as if I was stupid for not having thought of that "fix" myself.
I ran into the problem on a system where my own app was running as shell, but below is an easier way to reproduce it.
It worked (works?) under NT4, but I wouldn't be surprised at all if it's still the same in XP:
- You need a PC with a HP printer attached, with the drivers installed from HP's CD (not the drivers that came from MS on the windows CD, those are safe). It was confirmed to work with deskjets in the 600 and 800 series.
- Open notepad. Type in some random characters.
- Click Start/Shutdown, and hold down ctrl+shift+alt while clicking "Cancel": this closes the shell, while notepad keeps running (a less known, yet documented trick to close explorer.exe as the shell while remaining logged on).
- Remove all paper from the printer, then print the document from notepad.
- A tabbed dialog will pop up with a message about the printer being out of paper, and diagnostic and help tabs. That dialog also gives access to the help file that came with the driver, from there you can go to the printing problem solver, and there you can open the printers control panel.
- Do that. The printers control panel will be opened in explorer, but because explorer.exe is also the shell and no other instance is running, it will start as the shell instead and your desktop and taskbar will reappear.
Congratulations. You are now logged in with system privileges, because the HP driver displays the error message under the system account, the help file inherits the privilege, and so does explorer in its turn.