lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 Jul 2008 22:39:23 -0400
From: "Abe Getchell" <me@...getchell.com>
To: <bugtraq@...urityfocus.com>
Subject: Windows Vista Power Management & Local Security Policy

When the security option "Shutdown: Allow system to be shutdown without
having to log on" (in the local security policy) is set to "Disable", and
the power management setting "When I press the power button" is set to "Shut
Down", it is possible for an unauthenticated user to press the power button
at the Windows logon screen and gracefully shutdown the system. The
explanation of this security option, taken from the local security policy,
is as follows:

"Shutdown: Allow system to be shut down without having to log on

This security setting determines whether a computer can be shut down without
having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the
Windows logon screen.

When this policy is disabled, the option to shut down the computer does not
appear on the Windows logon screen. In this case, *users must be able to log
on to the computer successfully and have the Shut down the system user right
before they can perform a system shutdown*.

Default on workstations: Enabled.
Default on servers: Disabled."

Note the text between the asterisks. While this bug isn't necessarily a
software flaw allowing for an intrusion into the system in a traditional
sense, it does set a bad precedence in that power management has a free pass
to bypass local security policy and perform actions expressly against the
defined policy. It appears that the only impact the use of this security
option actually has is enabling or disabling the display of the "power
button" on the Windows logon screen (locally only - this setting has no
affect on remote desktop connections - the "power button" is not displayed
in either case), not actually preventing anyone from (gracefully) shutting
down the system without logging in.

I reported this to the MSRC on 6/25/2008 and their stance was that this
wasn't a security vulnerability, but was likely a bug, and was passed
directly to the product team to investigate through their normal bug triage
process. After some back and forth, there was silence, and I let them know I
was going to release this information to the community. 

This was tested on Windows Vista SP1 (32-bit).

--
Abe Getchell
me@...getchell.com
https://abegetchell.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ