lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44C1A761.2000000@herr-der-mails.de>
Date: Sat, 22 Jul 2006 06:19:45 +0200
From: "H. Wiedemann" <dpr@...r-der-mails.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Outpost Firewall vulnerability,
	users gaining system rights

Hi,

all current available "Outpost Firewall" versions do have severe 
vulnerabilities, every local user is able to run programs under the very 
high privileged LocalSystem account.

Steps to reproduce:

1.) create an empty text file (e.g. "empty.txt")
2.) create a batch file which will open a command shell.
     sth. like:
     cmd.exe
3.) open the Outpost Firewall GUI
4.) call one of the open or save file dialogs
     e.g. "File - Load Configuration"
     change the file type to "All Files *.*"
5.) drag the "empty.txt" and drop it over the created batch file
6.) a command shell opens running under the LocalSystem account
     (you can check this with "whoami.exe" from the windows resource kit 
tools)


There're of course a lot other drag&drop possibilites ... you could e.g. 
drop the text file over "notepad.exe" which will open a notepad with 
system privileges.

Even if Agnitum disables the Drag&Drop functionality: the open/save 
dialog will always be able to read and write files with the rights of 
the LocalSystem account. Thus every user could severely damage the system.


This vulnerability is by design, there're dozens of other possibilities 
to gain system privileges with Outpost. The problem is that the GUI is 
part of the windows service and is running with SYSTEM privileges. Even 
MS says that the so called "Interactive Services" shouldn't be used --> 
MSDN Library, topic "Interactive Services" - "Security Considerations 
for Interactive Services".


-- 

H. WIEDEMANN

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ