lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1092656247.6696.16.camel@gibson>
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Flaws security feature of SP2

Was wondering how long it would talk for the holes to show up. SP2 isn't
the be all and end of windows security, although it is a step in the
right direction.

In my opinion MS has a lot of legacy code to address, preventing buffer
overflows from happening is all well and good but if the code still has
flaws like that they should be addressed as well. cmd featuring in this
advisory is possibly an indication of how this legacy code hasn't been
addressed.

I don't think MS have learnt that an SP, a couple of conferences and 
occaisonally blurtng out buzzwords such as "Security in Depth" doesn't a
secure set up make.

Barrie

On Mon, 2004-08-16 at 11:11, Juergen Schmidt wrote:
> Author: J?rgen Schmidt, heise Security
> Date: August 13,2004
> German Advisory: http://www.heise.de/security/artikel/50046
> English Version: http://www.heise.de/security/artikel/50051
> 
> 
> Overview
> --------
> With Service Pack 2, Microsoft introduces a new
> security feature to warn users before executing
> files that originate from an untrusted location (zone)
> such as the Internet.
> 
> There are two flaws in the implementation of this
> feature: a cmd issue and the caching of ZoneIDs in
> Windows Explorer. The Windows command shell cmd ignores
> zone information and starts executables without
> warnings. Virus authors could use this to spread
> viruses despite the new security features of SP2.
> 
> Windows Explorer does not update zone information
> properly when files are overwritten. So it can be
> tricked to execute files from the internet without
> warning.
> 
> Background
> ----------
> Internet Explorer and Outlook Express mark files that
> are downloaded from the internet or saved from an
> e-mail with a Zone Identifier (ZoneID), which reflects
> the security zone from which it originates. The ZoneIDs
> correspond to the Internet Explorer security
> zones. This information is saved in an Additional Data
> Stream (ADS) of the file. ADS are a feature of the NTFS
> filesystem. ADS with ZoneIDs are named Zone.Identifier
> and can be viewed and modified with Notepad by opening
> ":Zone.Identifier".
> 
> When a user tries to execute a file downloaded from the
> internet and therefore has been given ZoneID=3 at a
> later point, he is prompted with a warning. The ADS is
> persistent even if the file is moved, as long as it
> stays on NTFS drives. Windows built-in ZIP utilities
> honor ZoneIDs and for example do not extract executable
> files from archives with a ZoneID greater than or equal
> to 3.
> 
> 1. The cmd Issue
> ----------------
> Description
> 
> The command shell cmd.exe ignores the ZoneID of
> files. The command
> 
> cmd /c evil.exe
> 
> executes the file evil.exe without warning, regardless
> of its ZoneID. Even worse: If an executable file is
> saved as evil.gif, the command
> 
> cmd /c evil.gif
> 
> will launch the programm without any warning despite
> its ZoneID being 3. This is true for any file
> extension. The execution of files through cmd
> regardless of its extension is not new in SP2. It works
> with every version of Windows XP.
> 
> Note: By default users are not allowed to save
> "dangerous" files (i.e. files with extensions like
> .exe) in Outlook Express. But they can save executables
> with other file extensions such as .gif. Explorer and
> Outlook Express display them as image. Opening
> (i.e. double clicking) those files in Explorer results
> in the launch of the registered file handler, in this
> case the image viewer.
> 
> Attack vector
> 
> Exploitation of this issue reqeuires some user
> interaction -- at least as long as nobody comes up with
> a way to execute cmd.exe with parameters from within
> Outlook Express or Internet Explorer. But viruses doing
> "social engeneering" are a common place by now. Bagle &
> Co asked users to enter a password to decode encrypted
> attachments. Therefore a virus author could create an
> e-mail worm like this:
> 
> --
> Attached: access.gif
> 
> Hello,
> 
> attached you find the copy of your access data you
> requested. For security reasons, the file is scrambled
> and can only be viewed with cmd. To view it, save the
> attached file, execute "cmd" from the start menu,
> drag&drop the file into the new window and hit
> return. cmd will descramble the file for you.
> --
> 
> If the user follows these instructions, the attached
> file is executed without any warning.
> 
> This might even deceive some of the more experienced
> users, because they do not expect files with extensions
> like "gif" to carry executable content and to be
> executed in such a simple manner.
> 
> Additionally this method will evade some antivirus
> software, which only scans/blocks files with extensions
> which it knows to be potentially dangerous.
> 
> 
> 2. Windows Explorer caching of ZoneIDs
> --------------------------------------
> Description
> 
> Windows Explorer caches the result of ZoneID
> lookups. If a file is overwritten, Explorer does not
> properly update this cached information to reflect the
> new ZoneID. This allows spoofing of trusted or
> non-existant ZoneIDs by overwriting files with trusted
> or non-existent ZoneIDs.
> 
> The following steps illustrate the problem.
> 
>    1. Copy notepad to a new file.
> 
>    > copy c:\windows\notepad.exe test.exe
> 
>       You may also use Explorer to copy the file.
> 
>    2. Open test.exe in Explorer: no warning.
> 
>    3. evil.exe is a file saved from an e-mail
>       attachment and has ZoneID=3.  Check with your
>       editor by opening "evil.exe:Zone.Identifier". It
>       displays: ZoneID=3 Open evil.exe in Explorer: you
>       will be warned.
> 
>    4. Overwrite the copy of notepad.exe:
> 
>    > copy evil.exe test.exe
> 
>       test.exe:Zone.Identifier displays: ZoneID=3
> 
>    5. Open test.exe in Explorer: no warning!
> 
>       test.exe is launched without warning despite of
>       its ZoneID=3. In the file properties, Explorer
>       shows the correct notice about its origin, but
>       for opening the file the old ZoneID-status is
>       used.
> 
>    6. Doublecheck: Kill the Explorer task, restart it
>       and launch test.exe: you will be warned.
> 
> Attack vector
> 
> Exploiting this issue requires the ability to overwrite
> existing files wich have a trusted or non-existant
> ZoneID. Right now there is no known way to achieve this
> in an attack mounted from the Internet.
> 
> 
> Vendor status
> -------------
> heise Security has notified Microsoft about both issues
> on August 12. Microsoft Security Response Center
> responded:
> 
> "We have investigated your report, as we do with all
> reports, however in this case, we don't see these
> issues as being in conflict with the design goals of
> the new protections. We are always seeking improvements
> to our security protections and this discussion will
> certainly provide additional input into future security
> features and improvements, but at this time we do not
> see these as issues that we would develop patches or
> workarounds to address."
> 
> You find some personal thoughts about this response in
> the latest comment on heise Security: Microsoft: A
> matter of trust,
> http://www.heise.de/security/artikel/50054
-- 
Barrie (zeedo) Dempster - Fortiter et Strenue


[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

<spam type="places I think you should go">
Computer Security http://www.bsrf.org.uk
Do something good http://www.lp2p.org
Open Source Vulnerability Database http://www.osvdb.org
</spam>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040816/459f13ca/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ