lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1IXAOQ-0004bv-8t@wintermute01.cs.auckland.ac.nz>
Date: Mon, 17 Sep 2007 18:47:38 +1200
From: pgut001@...auckland.ac.nz (Peter Gutmann)
To: Thierry@...ler.lu
Cc: bugtraq@...urityfocus.com, roger@...neretcs.com, tmb@...35.com,
	vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API

Thierry Zoller <Thierry@...ler.lu> writes:

>PG> No, this is an entirely new level of attack,
>"New level of attack", what makes you believe that?

Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the spam, or
whatever).  The Vista sidebar changes this to clicking on a "Get more gadgets
online" link on the desktop to go to a microsoft.com site (which then goes to
a live.com site, but it's still Microsoft).  The sole requirements for
submitting a gadget seem to be a Windows Live ID:

  Unverified submission.

  Only install applications from developers you trust. This is a third-party
  application, and it could access your computer's files, show you
  objectionable content, or change its behavior at any time.

and you've got things there like:

http://gallery.live.com/liveItemDetail.aspx?li=8214ecc3-bf7e-4502-9702-9cf7cfe8aa99&bt=1&pl=1

(not picking on this particular whatever-it-is by whoever-it-is, just using it
as an example).  So you've got a desktop link to a (to the typical user)
Microsoft web site containing who knows what created by who knows who that,
when run, gets full rights on your system:

  Gadgets are mini-applications. Although an individual gadget may only have a
  single need . such as reading files and information from the computer,
  accessing information from one or more domains, or only displaying buttons
  and information for a utility . the full set of gadgets mix and match needs
  in a huge variety of ways. In aggregate, gadgets have the same set of needs
  as other code.
   - http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx

  In gadget.xml, there's a /gadget/hosts/host/permissions tag. All the samples
  I've looked at have "Full" as the value in this tag. Are there other legal
  values?
  ->
  "Full" is indeed the only value supported for the Windows Vista Sidebar. We
  have documentation on the syntax of the manifest that should be ready
  shortly to explain all elements, attributes and allowed values.

The entire security model for the Sidebar seems to be "We'll display lots of
dialogs that users have to mechanically click through before they get to see
the dancing bunnies".  There's no real security present that I can see, just a
lot of dialog boxes to click past.  In fact the blog specifically mentions
things like:

  Internet Explorer Protected Mode

  Protected Mode is not applicable to gadgets as they are code present on the
  local computer and interact with files and APIs on the local computer.

>PG> because it's moved the dancing
>PG> bunnies problem onto the Windows desktop.
>Huh ? What is different to let's say the southpark worm we saw years ago? Or
>any other normal binary that promised to be a screensaver or similar ?

They don't have a link on the Windows desktop to a legitimate Microsoft site
to download the malware.

>PG> The level of warnings is
>PG> irrelevant
>Euhm ok, so in your logic the program shouldn't run at all ?

The logic is that the program should be heavily sandboxed, run in Explorer
protected mode, or have similar measures applied.

>PG> Given what an incredible attack vector they are
>What is incredible in this attack vector ? What is actually new ? What is the
>differnce with the  "User downloads screensaver and get's owned" attack
>vector?

See above.

Peter.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ