lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: hellnbak at nmrc.org (hellNbak)
Subject: http://security.tombom.co.uk/moreshatter.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I guess I will add my $.02 to this discussion.  A note, I am neither
attacking or defending ANYONE in this post just offering my twisted view
of things.

Quoting from http://security.tombom.co.uk/response.txt

"Also, if I understand things correctly, the attack you describe either
requires the user to run an attacker's program on their system or the
attacker needs to have access to the user's system.  In either case, the
attacker has been allowed to cross a security boundary. In our essay,
the "Ten Immutable Laws of Security", these are Law #1-- "If a bad guy
can persuade you to run his program on your computer, it's not your
computer anymore," and Law #3 -- "If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore." (see
http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
for the full essay)."

In general this is correct, allow unknown malicious code and you will
get owned.  But, physical access isn't always required.  It is not uncommon
for an attacker to first gain a shell via this weeks latest IIS exploit
(or even Apache win32 for that matter) then upload tools to a poorly
secured directy then run bad code.  This is so common many
pen-testers have scripted the entire process as it is usually the easiest
form of attack.  As much as I hate to use the latest and greatest
buzzwords but this would be one of those nifty "blended attacks" that we
are hearing all the security vendors start to talk about.  This is nothing
new.

Now quoting from http://security.tombom.co.uk/shatter.html

"Basically, there is no simple solution, which is why Microsoft have been
keeping this under their hat. Problem is, if I can find this, I can
guarantee that other people have as well. They might not tell anyone about
it, and the next time they get into your system as a low-priv user, you
wouldn't have a clue how they got LocalSystem out of it. After all, you're
all up to date on patches, aren't you?"

You are obsolutely right -- I think this is the entire problem.  These
flaws are at such a low level that they cannot be fixed without
some major rewrites.  I think we all know that a major rewrite of the
Win32 API is very unlikely so how do we at least remediate some of the
risk.

1.)  Physically secure your critical systems.  If a system contains
critical data don't put it online and lock it up.  This is plain common
sense.  Oh, and your website probably isn't critical data or at least it
shouldn't be.

2.)  If the system needs to be online not only should your physically
secure it but also logically.  In this day and age just patching a system
is the bare minimum.  If the system is a web server, turn off all other
services, lock down file system privledges, harden harden harden.  If you
don't know how hire me to do it for you.  :-)  Other services like SQL,
Exchange, etc etc.. should not be directly exposed to the net.

3.)  Configure your firewall to DENY ALL both directions.  Only allow
exactly what you need for the box to function.  Note the BOTH DIRECTIONS
comment.  So many times while doing a pen-test I see firewalls only
allowing 80, 443, inbound but allowing anything outbound making
launching a reverse shell easy.  Most of all DO NOT allow any type of TFTP
and have alarms go off in the event of someone trying to upload (via any
method) files to the box.

4.)  Application level firewalls anyone?

5.)  Did I mention that you should harden and lock down all boxes that are
online?

Before everyone on the list breaks out their flame thrower yes I
understand that this isn't foolproof or as easy as it sounds.  You can
only protect against what you know about.

Regardless of what O/S you run all it takes is someone with the latest and
greatest zero-day and all your bases belong to them.

If my time in the security game has taught me anything its that all
operating systems have risks associated with them and they all require
hardening and reconfiguration before plugging in the network cable.  Some
of us would rather complain to the vendors in a hope to change things
while others do their best to lock things down.  Its never a bad idea for
an organization to come up with standard hardening procedures for various
operating systems.  I am not saying that this is right, I too hope for the
days of a truly secure O/S but I'm not holding my breath.


On Tue, 17 Sep 2002, Georgi Guninski wrote:

> Date: Tue, 17 Sep 2002 18:35:05 +0300
> From: Georgi Guninski <guninski@...inski.com>
> To: "Schmehl, Paul L" <pauls@...allas.edu>
> Cc: full-disclosure@...ts.netsys.com, secure@...rosoft.com
> Subject: Re: [Full-Disclosure]
>     http://security.tombom.co.uk/moreshatter.html
>
> CC'ing secure@...rosoft.com to throw some light on this.
> secure@...rosoft.com:
> Are you taking this seriously? Really really seriously?
> Or are some application writers irresponsibly writing insecure code which opens
> windows on windows - like in "net send 127.0.0.1 lol" ?
>
> Georgi Guninski
> http://www.guninski.com
>
>
> Schmehl, Paul L wrote:
> > Interesting.  I had a lengthy email argument with a MS rep about
> > shatter.  He swore up and down that it wasn't a MS problem, but a bad
> > applications programmer problem.  He finally grudgingly admitted that MS
> > probably shouldn't make it so easy to be a bad applications programmer
> > and said he would forward my concerns to MS Security.  Maybe now they'll
> > actually take the issue seriously (yeah, right!)
> >
> > Paul Schmehl (pauls@...allas.edu)
> > Department Coordinator
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/~pauls/
> >
> >
> >
> >>-----Original Message-----
> >>From: Georgi Guninski [mailto:guninski@...inski.com]
> >>Sent: Tuesday, September 17, 2002 4:56 AM
> >>To: full-disclosure@...ts.netsys.com
> >>Subject: [Full-Disclosure]
> >>http://security.tombom.co.uk/moreshatter.html
> >>
> >>
> >>http://security.tombom.co.uk/moreshatter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9h1U3ueD73xSa+/ARAsL4AJ9EwR72MdJdG1iGZ4IWLXx5WU68YQCfYj+X
464oHikMZHYsznTifkmgcgQ=
=NZQJ
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists