lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c8eab4$92939ee0$b7badca0$@com>
Date: Sun, 20 Jul 2008 18:04:19 -0400
From: "Abe Getchell" <me@...getchell.com>
To: "'Jim Harrison'" <Jim@...tools.org>,
	"'Thor (Hammer of God)'" <thor@...merofgod.com>,
	"'Johan Beisser'" <jb@...stic.org>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Windows Vista Power Management & Local Security Policy

I understand all of that, which is precisely the reason I put it out there.
The example I put forth might have been a bad one (given that it relies on
an additional piece of code to be installed on a target machine), but
there's probably more to this issue than I can deduce. I'll let those more
versed in that area of security figure it out. As a side note, check out
some of the conversations on the Linux Kernel mailing list about power
management and security. Interesting stuff.

--
Abe Getchell
me@...getchell.com
https://abegetchell.com/

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@...tools.org]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@...getchell.com'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@...urityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
> 
> It's about reality & priorities.
> 
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
> (not imagined) functionality & security
> 2. unless this provides some exploit that doesn't start with "if I can
> install software on the host", it's not more than "a bug in a security
> mechanism"
> 
> If someone can demonstrate an actual vulnerability or exploit on the
> basis of this bug _alone_, then they may have something to make noise
> about.  There are enough real bugs and security vulns in software to
> deal with.  Not every security issue spells doom and damnation or
> warrants immediate corrective response from the vendor.
> 
> Jim
> 
> -----Original Message-----
> From: Abe Getchell [mailto:me@...getchell.com]
> Sent: Sunday, July 20, 2008 12:32 PM
> To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
> Cc: bugtraq@...urityfocus.com
> Subject: RE: Windows Vista Power Management & Local Security Policy
> 
> So, you guys don't think it's an issue that power management in Vista
> (apparently) has a pass to bypass local security policy?
> 
> --
> Abe Getchell
> me@...getchell.com
> https://abegetchell.com/
> 
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@...merofgod.com]
> > Sent: Saturday, July 19, 2008 6:20 PM
> > To: me@...getchell.com; Jim Harrison; bugtraq@...urityfocus.com
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > If Jim is going to get Nancy to run a program, and that's "not all
> that
> > hard," then why not just have that program do what you want in the
> > first
> > place rather than worrying about the power switch nonsense?  This is
> > the
> > one million and fourth time:  "If your 'vulnerability' begins with
> 'if
> > I
> > can get the user to run code' then whatever comes after the 'then'
> > doesn't matter.  Period."
> >
> > t
> >
> >
> >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@...getchell.com]
> > > Sent: Saturday, July 19, 2008 12:33 AM
> > > To: 'Jim Harrison'; bugtraq@...urityfocus.com
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > As stated in my original e-mail to the list, I definitely don't
> think
> > > that
> > > this is a security vulnerability in a traditional sense. I
> completely
> > > agree
> > > with you. Think about it this way... When you press the power
> button
> > on
> > > the
> > > machine and it performs a graceful shutdown, stuff happens inside
> of
> > > the
> > > operating system. That stuff happens at an elevated privilege
> level.
> > If
> > > there were some way to hook into the stuff that happens, you (as an
> > > unauthenticated user), could do bad things (besides simply shutting
> > > down the
> > > system) using that hook simply by pressing the power button at the
> > > logon
> > > screen. For example, if Jim wants to know what Nancy is working on,
> > he
> > > could
> > > write a program which e-mails him the contents of her "My
> Documents"
> > > folder
> > > that is triggered by a hook into that process. All Jim needs to do
> is
> > > get
> > > Nancy to run that program on her system (not hard) and walk by her
> > > office
> > > when she's not there and hit the power button (also not hard). So
> > what
> > > can
> > > _I_ do with this bug? Not much, I'm not that great of a
> programmer...
> > > but I
> > > think someone out there could do some nasty stuff.
> > >
> > > --
> > > Abe Getchell
> > > me@...getchell.com
> > > https://abegetchell.com/
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@...tools.org]
> > > > Sent: Saturday, July 19, 2008 1:36 AM
> > > > To: 'me@...getchell.com'; bugtraq@...urityfocus.com
> > > > Subject: RE: Windows Vista Power Management & Local Security
> Policy
> > > >
> > > > Abe,
> > > >
> > > > Other than a denial-of-service from the console (is the power
> > switch
> > > > now a security vuln, too?), what can you do with this bug?  It's
> > > > absolutely, unquestionably a "bug"; the user should see behavior
> as
> > > > dictated by logic and described in the documentation, but a
> > "security
> > > > vulnerability"?
> > > >
> > > > I think that's stretching things juuuuuust a bit.
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: Abe Getchell [mailto:me@...getchell.com]
> > > > Sent: Thursday, July 17, 2008 7:39 PM
> > > > To: bugtraq@...urityfocus.com
> > > > Subject: Windows Vista Power Management & Local Security Policy
> > > >
> > > > When the security option "Shutdown: Allow system to be shutdown
> > > without
> > > > having to log on" (in the local security policy) is set to
> > "Disable",
> > > > and
> > > > the power management setting "When I press the power button" is
> set
> > > to
> > > > "Shut
> > > > Down", it is possible for an unauthenticated user to press the
> > power
> > > > button
> > > > at the Windows logon screen and gracefully shutdown the system.
> The
> > > > explanation of this security option, taken from the local
> security
> > > > policy,
> > > > is as follows:
> > > >
> > > > "Shutdown: Allow system to be shut down without having to log on
> > > >
> > > > This security setting determines whether a computer can be shut
> > down
> > > > without
> > > > having to log on to Windows.
> > > >
> > > > When this policy is enabled, the Shut Down command is available
> on
> > > the
> > > > Windows logon screen.
> > > >
> > > > When this policy is disabled, the option to shut down the
> computer
> > > does
> > > > not
> > > > appear on the Windows logon screen. In this case, *users must be
> > able
> > > > to log
> > > > on to the computer successfully and have the Shut down the system
> > > user
> > > > right
> > > > before they can perform a system shutdown*.
> > > >
> > > > Default on workstations: Enabled.
> > > > Default on servers: Disabled."
> > > >
> > > > Note the text between the asterisks. While this bug isn't
> > necessarily
> > > a
> > > > software flaw allowing for an intrusion into the system in a
> > > > traditional
> > > > sense, it does set a bad precedence in that power management has
> a
> > > free
> > > > pass
> > > > to bypass local security policy and perform actions expressly
> > against
> > > > the
> > > > defined policy. It appears that the only impact the use of this
> > > > security
> > > > option actually has is enabling or disabling the display of the
> > > "power
> > > > button" on the Windows logon screen (locally only - this setting
> > has
> > > no
> > > > affect on remote desktop connections - the "power button" is not
> > > > displayed
> > > > in either case), not actually preventing anyone from (gracefully)
> > > > shutting
> > > > down the system without logging in.
> > > >
> > > > I reported this to the MSRC on 6/25/2008 and their stance was
> that
> > > this
> > > > wasn't a security vulnerability, but was likely a bug, and was
> > passed
> > > > directly to the product team to investigate through their normal
> > bug
> > > > triage
> > > > process. After some back and forth, there was silence, and I let
> > them
> > > > know I
> > > > was going to release this information to the community.
> > > >
> > > > This was tested on Windows Vista SP1 (32-bit).
> > > >
> > > > --
> > > > Abe Getchell
> > > > me@...getchell.com
> > > > https://abegetchell.com/
> > > >
> > > >
> > >
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ