Datamation writes "Exploit code for Windows Vista (though at this point only proof-of-concept code) has been published to a Russian hacker site, Eweek reports. Certain strings sent through the 'MessageBox' API apparently cause memory corruption. Though this is obviously cause for concern, at the moment it would seem access to the system would already be required to make use of the exploit. Determina has an analysis of the bug. Just last week, Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000."
> I don't have to...you know...take pictures of squirrels or pigeons to get a hold of this exploit do I?
Nope, just contact the Uplink Corporation [uplink.co.uk], and be sure to break the chain of logs that connect your gateway's activity to the target machines before the passive trace gets you. (It helps to have root on at least one of the chain of proxies you're bouncing your connection through.)
more story here
http://www.securityfocus.com/brief/391 [securityfocus.com]
hehehe...
He also reminds me of that city manager from oklahoma.. what's that guy name ?
probably a lot more if you can use it to get a lot of zombies and bots for DDOS attacks and SPAM. I'm thinking the SPAM alone should cover the cost if you can get an installed base quickly.
Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.
I'm just wondering who would buy these at such a price. What is the real value of an exploit?
The real value is that Trend Micro gets to post a dubious piece of information showing how deadly and valuable these exploits are. Wow, just look at how insecure Vista is that these harmful exploits are worth so much money! You'd better buy our antivirus software NOW to keep yourself protected.
Antivirus companies are certainly not broadcasting this kind of information purely for the public benefit. It's a FUD campaign. Much like certain governments like to say "terrorist, terrorist, terrorist!" these c
And when did these "hackers" become such sellouts? Way to ruin an art form...
The only thing they ruin is the term "hacker". But that's okay, this word has been deformed, mis- and overused for so long to mean "pirate" and "cracker" by stupid media people that it just doesn't matter anymore.
In reality, these guys aren't even worthy of the term "crackers" (which itself isn't worth much in the first place): they're just mafia, conmen, blackmail artists, forgers, thieves, robbers... whatever you choose to call it. They just happen to use a computer instead of a tommy gun, but the result is the same.
They just happen to use a computer instead of a tommy gun, but the result is the same.
You'll be sleep()ing with the fishes?
Somehow, I don't think the idea of the "St. Valentine's Day TCP stack exploit" has quite the same impact. (Perhaps the "St. Valentine's Day Blue Screen of Death"?)
All things considered, I'd rather have my computer violated by the Mafia than my body.
Obviously Microsoft is missing these holes in Vista in house. Maybe the biggest customer for these zero-day exploits should be.. Microsoft? $50,000 isn't that much compared to the other option IMHO. Just a thought.
It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree. On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.
Heck, MS could even offer these russians H1Bs/green cards, housing in the US, car and whatnot, that would be small change compared to how Microsoft stands to make out like a bandit on the semi-forced sale of their new OS...
Agreed. It would be generally very poor form for a company to do such a thing. And obviously the people who sell these exploits want to get more than one sale out of each one. Selling them to Microsoft means, hopefully, the end of the exploit and no more sales. So if MS really did buy these exploits, they'd have to do it without letting the hackers find out it was them buying the exploits. Because the hackers would probably never want to sell them to MS.
I'm sure this fits into some science fiction plot s
I'm sure this fits into some science fiction plot somewhere. And the truth as it is said is often stranger than fiction.
Yes it is. Would you believe that the reason for all the security holes is for Microsoft. They're the ones who create the holes so that later they can take crontrol of the bot nets and send out spam. On occasion they find a guy who's trying to go it alone and starts intruding on their turf. They send the police at that guy to take everyone's attention at what their other hand is doing. They're pretty sinister in that regard.
Holy crap, I could almost believe that. Anybody have any extra tin foil they can spare?
I have a better interpretation (and possibly an idea for MS to hunt these guys down): It's extortion. Someone identified a security flaw that Microsoft missed, and wants money for it. I'd wager their army of lawyers could spin it in such a way as to get these black hats locked up for a good long time for racketeering charges or something similar.
How MS can use this: broker deals with these guys under the table. Get any relevant law enforcement involved to ensure it's legality, and nail the guys when the tran
It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree.
It is not necessarily bad for Microsoft to pay these guys a bounty behind the scenes to find flaws in their products for them. Think of it this way, the CIA pays criminals and other unsavory people to be informants and agents acting in the interests of the government at the behest of their CIA case o
Well they already do exactly that. Microsoft has a huge QA department and its a pretty safe bet that the SDETs working in it make a good bit more than 50k a year. They recruit internationally and get people those visas you were talking about since software engineers who dont suck are in short supply these days. Unless a hacker believes that he can find several big time exploits every year before anyone else does (quite a stretch imho) then it seems like it would be in his financial best interest to work f
On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.
This has come up before in other articles, but I'll rehash the old arg
That's possibly what the guys selling the exploits are hoping for: that Microsoft buys it from them and as you say $50,000 isn't much for Microsoft. Actually, maybe Microsoft should actually start a program to reward people that submit vulnerabilities in relation to security risk caused by it. This might actually help make Vista secure quickly if they pay well. And if they have any confidence in the fact that Vista is a relatively secure OS, they shouldn't have to worry that it is going to cost them too muc
The vulnerable code is present in Windows 2000, XP, 2003 and Vista.
Another case of Microsoft getting burned by legacy code? You have to wonder how many problems would be solved if they actually started fresh, rather than propping up the compatibility bridge continuously. Probably a lot, but I doubt they want to damage their market share to the extent that such a move would likely make.
How does one go about exploiting a double free vulnerability? The article just mentions that Windows has a double free vulnerability but does not post an exploit (and neither does the russian site which originally reported this issue).
It really depends on the heap (the specific data structures keeping track of the blocks) in use, but it can result in other blocks also beeing freed incorrectly. If you are able to replace the first block at the address with another, during the relevant timespan, you can get THAT one freed, which then can cause some other part of the kernel, relying on that new data, to crash. As the buffers involved here are all allocated in-kernel, I would think you need to do some tricky timing-dependent work to get a real exploit going. If you don't have debugging privileges, you won't know the address used yourself, and you'll need to trick some other API to choose to allocate that very same memory, unless, of course, the data structures are severly damaged by just the double-free event, without any new allocation between the two.
Which is ironic, because they actually have a page [microsoft.com] on handling strings safely. So are they lazy, stupid, or both? Lemme guess-- they couldn't use their own API because someone wrote the MessageBox API in assembly...?
Yep someone is lazy, or it is a side effect in the API.
BTW Only the HAL of any NT based system is written in assembly, everything above that must be portable C. (This is one reason it was sad that WinNT 4.0 was faster than Win9x, as the Win9x team could use all the assembly they wanted.)
Old API, not properly reviewed. BTW, did anyone notice that the exploit requires 'prior' admin authorization? It can only elevate after getting the permission to do so at a prior point, so it is kin
Function GetHardErrorText Comment: * This function figures out the message box title, text and flags. * We want to do this up front so we can log this error when the hard error is * raised. Previously we used to log it after the user had dismissed the message * box -- but that was not when the error occurred (DCR Bug 107590)
This function finds and extracts strings like "{EXCEPTION}" from MessageBox's text and if found, writes them in the system log.
I think it's funny that the black hats are releasing exploits for Vista so soon. The product isn't widely available yet, so by the time Vista ships to consumers mosty of these 0-days will be patched.
A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.
A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.
A smart black hat has like a job and a life.
The only thing I can say that these script kiddies and whatnot are good for is that they are easily detectable and they alert security people of vulnerabilities so that it makes it difficult for people that are really interested in doing real damage or obtaining data that they shouldn't have.
Its really ironic how valuable these kids are. Without them, real compromises would be more common and much more painful.
Of course, this doesn't don't count, as has been evidenced by the outcry against similar proof-of-concept security holes in OS X.
I'm pretty sure the Slashdot community wouldn't be so two-faced as to claim something is an exploit on Vista which isn't 'counted' as an exploit on OS X, right?
I'm wondering what sort of checking IE does on alert() and prompt() calls, and on and tags. If you can force an error would it be possible to run arbitrary code this way?
This affects a total of what? 15 people? I don't see why anyone would pay cold hard cash for Vista exploits when 99% of the internet still runs XP or previous..
Yet again, the need for the CLR to support this moronic language creates a very obvious security flaw.
Huh? Where's the logic in that? Blaming VB.NET for a security vulnerability in a Win32 API is like blaming Perl for a security vulnerability in the Linux kernel API. This has absolutely nothing to do with the CLR, Visual Basic (.NET or 6), or any other specific language... the vulnerability exists on the lowest level of the Win32 API (CSRSS, amongst other things, is Win32's interface to the Windows kernel). Any language that can call into Win32 can trigger this vulnerability... including Perl.
For one thing, MessageBox() is implemented entirely in user32.dll, a client library which runs directly in the client process calling the function. CSRSS and win32k only implement lower level primitives like windows and display contexts (Here [bialystok.pl]'s a list of both the service tables; scroll down to win32k.sys to see all of it's functions). MessageBox() uses those to create a new window with the specified buttons and text on the fly with those primitives; the vulnerability is inside that code. There's no reason t
I just read TFA. Let me get this straight. The exploit is in MessageBox()? Awesome.
All I can say is... OUCH.
MessageBox() is a fairly commonly used API (it's used to display a message box, with optional icon (none, alert, caution, etc.), and buttons (yes/no, yes/no/cancel, ok/cancel, ok, etc). It's the most trivial way to do a quick debug, or pop up an error message. It's probably one of the most commonly used functions, as well.
Wonder what Microsoft did to break MessageBox(). Considering how often it's used...
Wonder what Microsoft did to break MessageBox(). Considering how often it's used...
Whatever they did, they did it a long time ago, since TFA says Win2k is vulnerable.
Unless this exploit is perpetuated by a patch, MS's brand spanking new OS is getting pwnd by a bug coded >7 years ago. I assume it's at least 7 years old, because I doubt anyone is testing against NT4 these days, so I don't know if it's a leftover from the mid-90's.
I don't have to... (Score:5, Funny)
Re: (Score:2)
Nope, just contact the Uplink Corporation [uplink.co.uk], and be sure to break the chain of logs that connect your gateway's activity to the target machines before the passive trace gets you. (It helps to have root on at least one of the chain of proxies you're bouncing your connection through.)
$50K is a pretty good payout for a mission.
Re: (Score:3, Funny)
Re: (Score:3, Informative)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
curious (Score:4, Insightful)
I'm just wondering who would buy these at such a price. What is the real value of an exploit?
Re:curious (Score:5, Informative)
Parent
Re: (Score:3, Insightful)
Someone with $50,000 to spend as an investment, who expects to make more money out of it.
What is the real value of an exploit?
$50,000.
Re: (Score:2)
Only if someone bought it
Re: (Score:3, Insightful)
People who want to make Vista zombie bots.
And who would want to do that?
Spammers
Re: (Score:2)
Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.
I'm just wondering who would buy these at such a price. What is the real value of an exploit?
The real value is that Trend Micro gets to post a dubious piece of information showing how deadly and valuable these exploits are. Wow, just look at how insecure Vista is that these harmful exploits are worth so much money! You'd better buy our antivirus software NOW to keep yourself protected.
Antivirus companies are certainly not broadcasting this kind of information purely for the public benefit. It's a FUD campaign. Much like certain governments like to say "terrorist, terrorist, terrorist!" these c
Re:curious (Score:5, Insightful)
The only thing they ruin is the term "hacker". But that's okay, this word has been deformed, mis- and overused for so long to mean "pirate" and "cracker" by stupid media people that it just doesn't matter anymore.
In reality, these guys aren't even worthy of the term "crackers" (which itself isn't worth much in the first place): they're just mafia, conmen, blackmail artists, forgers, thieves, robbers... whatever you choose to call it. They just happen to use a computer instead of a tommy gun, but the result is the same.
Parent
Re:curious (Score:4, Funny)
You'll be sleep()ing with the fishes?
Somehow, I don't think the idea of the "St. Valentine's Day TCP stack exploit" has quite the same impact. (Perhaps the "St. Valentine's Day Blue Screen of Death"?)
All things considered, I'd rather have my computer violated by the Mafia than my body.
Parent
Re: (Score:2)
Meant to say this last week.. but.. (Score:5, Interesting)
Maybe the biggest customer for these zero-day exploits should be.. Microsoft?
$50,000 isn't that much compared to the other option IMHO.
Just a thought.
TLF
Re:Meant to say this last week.. but.. (Score:5, Insightful)
Maybe the biggest customer for these zero-day exploits should be.. Microsoft?
$50,000 isn't that much compared to the other option IMHO.
Just a thought.
It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree. On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.
Heck, MS could even offer these russians H1Bs/green cards, housing in the US, car and whatnot, that would be small change compared to how Microsoft stands to make out like a bandit on the semi-forced sale of their new OS...
Parent
Re: (Score:3, Interesting)
And obviously the people who sell these exploits want to get more than one sale out of each one. Selling them to Microsoft means, hopefully, the end of the exploit and no more sales. So if MS really did buy these exploits, they'd have to do it without letting the hackers find out it was them buying the exploits. Because the hackers would probably never want to sell them to MS.
I'm sure this fits into some science fiction plot s
Re:Meant to say this last week.. but.. (Score:5, Funny)
Yes it is. Would you believe that the reason for all the security holes is for Microsoft. They're the ones who create the holes so that later they can take crontrol of the bot nets and send out spam. On occasion they find a guy who's trying to go it alone and starts intruding on their turf. They send the police at that guy to take everyone's attention at what their other hand is doing. They're pretty sinister in that regard.
Holy crap, I could almost believe that. Anybody have any extra tin foil they can spare?
Parent
Re: (Score:2)
Re: (Score:2)
It's extortion. Someone identified a security flaw that Microsoft missed, and wants money for it. I'd wager their army of lawyers could spin it in such a way as to get these black hats locked up for a good long time for racketeering charges or something similar.
How MS can use this: broker deals with these guys under the table. Get any relevant law enforcement involved to ensure it's legality, and nail the guys when the tran
Re: (Score:2)
2) MS can find ways to make Russia play ball on extradition or prosecution.
Re: (Score:2, Insightful)
And a place in jail for violating DMCA.
Re: (Score:2)
It is not necessarily bad for Microsoft to pay these guys a bounty behind the scenes to find flaws in their products for them. Think of it this way, the CIA pays criminals and other unsavory people to be informants and agents acting in the interests of the government at the behest of their CIA case o
Re: (Score:2)
Unless a hacker believes that he can find several big time exploits every year before anyone else does (quite a stretch imho) then it seems like it would be in his financial best interest to work f
Re: (Score:2)
This has come up before in other articles, but I'll rehash the old arg
Portable?! (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
From the article:
Another case of Microsoft getting burned by legacy code? You have to wonder how many problems would be solved if they actually started fresh, rather than propping up the compatibility bridge continuously. Probably a lot, but I doubt they want to damage their market share to the extent that such a move would likely make.
Double free vulnerability (Score:3, Interesting)
The article just mentions that Windows has a double free vulnerability but does not post an exploit (and neither does the russian site which originally reported this issue).
.
Re:Double free vulnerability (Score:4, Informative)
Parent
Discount... (Score:2)
List of those strings... (Score:3, Funny)
A partial list of those strings appears to be: Linux, Open-Source, GNU, Stallman, and (oddly) chair.
Microsoft still hasn't learned about safe strings! (Score:3, Interesting)
Re: (Score:2)
Yep someone is lazy, or it is a side effect in the API.
BTW Only the HAL of any NT based system is written in assembly, everything above that must be portable C. (This is one reason it was sad that WinNT 4.0 was faster than Win9x, as the Win9x team could use all the assembly they wanted.)
Old API, not properly reviewed. BTW, did anyone notice that the exploit requires 'prior' admin authorization? It can only elevate after getting the permission to do so at a prior point, so it is kin
More details on this (Score:4, Interesting)
Say, nice use of strcpy...
Why now? (Score:3, Insightful)
A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.
Re:Why now? (Score:5, Interesting)
A smart black hat has like a job and a life.
The only thing I can say that these script kiddies and whatnot are good for is that they are easily detectable and they alert security people of vulnerabilities so that it makes it difficult for people that are really interested in doing real damage or obtaining data that they shouldn't have.
Its really ironic how valuable these kids are. Without them, real compromises would be more common and much more painful.
Parent
Doesn't count! (Score:3, Insightful)
I'm pretty sure the Slashdot community wouldn't be so two-faced as to claim something is an exploit on Vista which isn't 'counted' as an exploit on OS X, right?
Right?
Can this be exploited with alert() or prompt()? (Score:2, Insightful)
so... (Score:2)
Re: (Score:2)
Win 2k and later, including Vista
Um, what? (Score:2)
Yeah, this tend to be how trojans and viruses work. In basically any OS.
Wake me up when there's a remote exploit requiring no elevation of privileges.
Re:Fscking Visual Basic (Score:4, Insightful)
Parent
Re:Fscking Visual Basic (Score:5, Insightful)
Parent
Re: (Score:2)
Re:Fscking Visual Basic (Score:5, Informative)
All I can say is... OUCH.
MessageBox() is a fairly commonly used API (it's used to display a message box, with optional icon (none, alert, caution, etc.), and buttons (yes/no, yes/no/cancel, ok/cancel, ok, etc). It's the most trivial way to do a quick debug, or pop up an error message. It's probably one of the most commonly used functions, as well.
Wonder what Microsoft did to break MessageBox(). Considering how often it's used...
Parent
Re: (Score:2)
Unless this exploit is perpetuated by a patch, MS's brand spanking new OS is getting pwnd by a bug coded >7 years ago. I assume it's at least 7 years old, because I doubt anyone is testing against NT4 these days, so I don't know if it's a leftover from the mid-90's.
Javascript alert()? (Score:2)
If it's just the text inside the message box that they need to screw with, this could be pretty easily exploited by any random website...
Re: (Score:3, Funny)
Okay. In Soviet Russia, Windows runs you. Oh, wait. . . .