lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040826075054.11769.qmail@www.securityfocus.com>
Date: 26 Aug 2004 07:50:54 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: MS XP SP2 Windows Security Center allows spoofing




Hi,

i found some interesting news about the WSC of the SP2 here :
http://www.pcmag.com/article2/0,1759,1639276,00.asp

Summary:

The Windows Security Center displays informations about Firewall, Updates, Antivirus... ans stores them in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system.

For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database.

The WMI database is designed to be accessible via the WBEM API and is available to any program that wants to access the WMI. Because the WMI database is not set to be a read-only file, an attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion.

About that Microsoft responds:

"In SP2, we added functionality to reduce the likelihood of unknown/devious applications running on a user's system, including turning Windows Firewall on by default, data execution prevention, attachment execution services to name a few. To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack – no WSC is necessary."

"Windows Security Center, found in the Windows XP Control panel, provides customers the ability and makes it easier to check the status of these essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure." 

YES it requires Administrative privileges to run a malware script...
YES it requires to access the HD of the target to run a malware script...

So if you don't want call that vulnerability, use the word flaw...

Regards.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ