lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.WNT.4.51.0307112016060.1268@lara.gremlinhunters.co.uk>
Date: Fri, 11 Jul 2003 20:18:16 +0100 (GMT Daylight Time)
From: Chris Paget <chrisp@...software.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities
 Redux



I posted this response to full-disclosure earlier, so I may as well post it here
too...


iDefense are absolutely correct in saying that EM_SETWORDBREAKPROC can be used
in exactly the same way that WM_TIMER can, in order to force another application
to jump to an arbitrary location in memory.  They are also correct in saying
that the problems are not unfixable; it was perhaps a little hasty on my part to
state this in the original white paper.  However, I do not believe that the
iDefense paper takes the issue far enough; here at NGS we have discovered many
new techniques for exploiting Shatter attacks.  Their technique for injecting
shellcode, while working acceptably, is just one of many that we have located;
EM_SETWORDBREAKPROC, while dangerous, is likewise just one example of many new
Shatter techniques for code execution that we have independantly discovered.

For example:  MS03-025 is a patch for a Shatter vulnerability in the Utility
Manager service, installed by default and running as LocalSystem on Windows 2000
computers.  It is vulnerable to privilege escalation attacks using the
LVM_SORTITEMS message.  The Microsoft advisory on the issue can be found at
http://www.microsoft.com/security/security_bulletins/ms03-025.asp while the NGS
advisory can be found at http://www.nextgenss.com/advisories/utilitymanager.txt

I will be presenting on the subject of Shatter at the Black Hat Briefings in Las
Vegas, at the end of July.  I will be discussing in detail the new issues we
have found, correcting some errors in the original paper, releasing several new
exploits for Shatter attacks (some for privilege escalation, and some for rather
different issues), and discussing the depth of the issue as well as proposing in
detail some solutions for fixing them.  Please don't ask me for more information
until then; I'm happy to discuss the original paper, the iDefense paper, and the
MS03-025 patch, but I will not be providing more information about my Black Hat
presentation until after the event.  Rest assured that there is a lot of new
content in it, and I will be around at both Black Hat and Def Con afterwards to
answer any questions that are outstanding.

Two things in particular that I would like to state in response to the iDefense
paper.  Firstly, while the technique of filtering messages that are received by
an application will work, it is an approach from the wrong side.  It is a "We
know this is bad so we'll filter it" approach, while what is needed is a "We
know this is good so we'll allow it" solution.  I will be explaining two
alternative solutions in detail at Black Hat, although all three potentially
suffer from the same problem.  Secondly, the iDefense paper indicates that
Microsoft's security best practices are not to have highly privileged windows on
a low-privileged desktop; this is not a firm stance from Microsoft.  In fact,
their latest statement on the issue (in the text for the WM_TIMER patch -
MS02-071) states:

"I saw a posting Microsoft authored shortly after this issue was reported, in
which you said the problem was that processes with differing levels of privilege
were running on the interactive desktop. It sounds like youve changed your
opinion.

We have. When we initially examined the situation, we concluded that the problem
here lay solely in the fact that highly-privileged and lower-privileged
processes were both present in the interactive desktop. We pointed out that, by
design, all processes on the interactive desktop are peers, and stated that we
believed the real solution was to not mix processes of varying privileges.

However, upon deeper investigation, we determined that the real answer is
somewhat more complicated. Its possible for a highly privilege process to
coexist safely with less privileged processes on the interactive desktop,
provided that its been properly designed to vet all requests before acting on
them. However, the flaw in WM_TIMER would undermine these safeguards even if
they were present. As a result, although we still recommend that developers use
extreme care before writing a process that has high privileges and runs in the
interactive desktop, we believe that in this case the real culprit is the flaw
in WM_TIMER."

To state Microsoft's policy as recommending that highly privileged applications
should not interact with users is somewhat misleading, if not actually
erroneous.  Microsoft's stance on the issue is unclear, at best.

That said, I applaud iDefense for their research, and I am grateful to them for
taking the time to read and understand the issue, and then investigate it in
more depth.  Hopefully, this paper and the presentation I deliver at Black Hat
will have the desired effect of spurring more research into the problem,
increasing the average developers understanding of the problem, and preventing
the attacks as far as is possible.

Chris Paget



On Fri, 11 Jul 2003, iDEFENSE Labs wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 07.11.03:
> http://www.idefense.com/advisory/07.11.03.txt
> Win32 Message Vulnerabilities Redux
> July 11, 2003
>
> About one year ago, Chris Paget published a pair of papers that
> described fundamental flaws in the way the Microsoft Corp. Windows
> event model is designed. Paget showed how these flaws led to a class of
> attacks he dubbed "Shatter attacks," and claimed that they were both
> widespread and unfixable. The boldness of these claims led to a rash of
> media coverage of this exploit, and a sizeable debate within the
> security community about the accuracy and importance of his claims. In
> response to the pressure exerted by this attention, Microsoft published
> security bulletin MS02-071 and an associated patch, which has led many
> to believe that Shatter attacks are no longer possible.
>
> iDEFENSE has published a paper written by Oliver Lavery that clarifies
> what the flaws in the Windows event model are, describes a related
> vulnerability that continues to exist in many popular software products
> and suggests ways in which these "unfixable" flaws might be addressed.
> Titled "Win32 Message Vulnerabilities Redux," the paper is available at
> http://www.idefense.com/idpapers/Shatter_Redux.pdf .  The appropriate
> vendors mentioned within received an advance copy of this paper.
>
>
> Get paid for security research
> http://www.idefense.com/contributor.html
>
> Subscribe to iDEFENSE Advisories:
> send email to listserv@...fense.com, subject line: "subscribe"
>
>
> About iDEFENSE:
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world - from technical
> vulnerabilities and hacker profiling to the global spread of viruses
> and other malicious code. Our security intelligence services provide
> decision-makers, frontline security professionals and network
> administrators with timely access to actionable intelligence
> and decision support on cyber-related threats. For more information,
> visit http://www.idefense.com .
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPw6rlfrkky7kqW5PEQJeLgCZARhd4z3PataAdcYr1D+qJfn5HiUAnAu3
> 9NVvCks9nOi9SojuaeeyQKl7
> =3dy3
> -----END PGP SIGNATURE-----
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ