lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 25 Jul 2014 14:50:19 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Gynvael Coldwind" <gynvael@...dwind.pl>
Cc: fulldisclosure <fulldisclosure@...lists.org>, bugtraq@...urityfocus.com
Subject: Re: [FD] Beginner's error: import function of Windows Mail executes
	rogue program C:\Program.exe with credentials of other account

Gynvael Coldwind wrote:

> Well it was discussed a couple of times recently on FD that this is a bug,
> but it's not a privilege escalation.
> If you are admin (and you did mention that it's a prerequisite) you can
> execute code as other users anyway - so there's no *escalation* here.
> 
> Therefore it's not a security bug (unless you are using a super old version
> of Windows with incorrect ACLs on c:\, which sounds like a bug in itself),
> just a "normal" bug.
> Not sure if FD is the right place for non-security bugs tbh.

If these bugs were no security bugs: why does Microsoft then publish fixes
for (at least some of) them via MSRC bulletins and Windows Update?

See <https://technet.microsoft.com/library/security/ms13-058.aspx>
or <https://technet.microsoft.com/library/security/ms13-034.aspx>

Or pulls drivers whose setup routines show these bugs from Windows Update?

See <http://seclists.org/fulldisclosure/2014/May/40>


Also try to see these bugs as a blended threat:

* during Windows setup Microsoft still creates all user accounts as
  administrators.

* Microsoft sells its unsuspecting users UAC as a security feature, but does
  NOT inform them (or at least does not inform Joe Average) that UAC is not
  a security boundary and they should better use a restricted^Wstandard user
  account instead of the administrator account created during setup.

* Joe Average will happily give consent to any program which presents an UAC
  prompt to him: he wants to get his work done, and this UAC prompt is just
  an annoyance. BTW: when Windows asks him for consent, this must be right?

regards
Stefan

> Cheers,
> On 25 Jul 2014 00:46, "Stefan Kanthak" <stefan.kanthak@...go.de> wrote:
> 
>> Brandon Perry wrote:
>>
>> > So, I am very curious how you are finding these? Have you automated this
>> or
>> > is it manual hand work?
>>
>> All my Windows installations have
>> <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
>> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as
>> C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written
>> program tries to execute them.
>> The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the
>> messages are recorded in the event log too where I can find them later.
>>
>> I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571>
>> which logs all command lines of programs linked to USER32.DLL to a file:
>> filtering for "C:\Program " at column 1 lists all the culprits.
>>
>> My third source is a SAFER.Log <
>> https://technet.microsoft.com/cc786941.aspx>
>> where every execution attempt is logged, including the executables caller:
>> filtering this for "\program.exe" or "\program.dll" lists all the culprits.
>>
>> So basically I just have to sit and wait...
>>
>> In case one of my customers was hit, and this did not happen during an
>> installation, I have to interrogate them what they did... and hope they can
>> remember with sufficient detail.
>>
>> But almost all hits occur during installations or the customization
>> following
>> an installation (here it was the import of existing mails into a new
>> account),
>> so these are not so difficult to reproduce.
>>
>> regards
>> Stefan
>>
>> PS: of course it helps if 8.3 names are disabled and "C:\Program Files\"
>> can't
>>     be aliased as C:\Progra~1\
>>     To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE
>>     before you start the installation of Windows 7 and later.
>>     For Windows NT5.x you'll have to use \i386\MIGRATE.INF
>>
>> > On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <stefan.kanthak@...go.de
>> >
>> > wrote:
>> >
>> >> Hi @ll,
>> >>
>> >> the import function of Windows Mail executes a rogue program
>> C:\Program.exe
>> >> with the credentials of another account, resulting in a privilege
>> >> escalation!
>>
>> [...]
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ