lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4CFE9E3C.1010308@extendedsubset.com>
Date: Tue, 07 Dec 2010 14:51:08 -0600
From: Marsh Ray <marsh@...endedsubset.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Valdis.Kletnieks@...edu
Subject: Re: verizon vs m$

On 12/07/2010 07:12 AM, Valdis.Kletnieks@...edu wrote:
> On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said:
>>>>> 2. some interpret it as a feature and some as a bug?
>>
>>> Does it have to be either?
>>
>> It sounds to me as if this is a deliberate design decision, and
>> people are disagreeing over the severity of its implications.
>
> Some people refer to that as a "feee-tchure" or "Broken As Designed".
> It's technically not a bug, but it does violate the Principle of
> Least Surprise.

I say it's a bug.

See there's this thing called "Protected Mode". Now I don't know about 
you guys, but that name could lead someone like me to think that it was
supposed to give you some kind of protection. But whatever it is, it can
be bypassed by this new Son-of-Stuxnet APT 3.0 exploit technology called
a "socket".

> http://windows.microsoft.com/en-us/windows-vista/products/features/communication
>  Internet Explorer
> Browse the web with Internet Explorer 7. Protected Mode provides
> security and data protection for Windows users.

> http://msdn.microsoft.com/en-us/library/bb250462%28VS.85%29.aspx
> Understanding and Working in Protected Mode Internet Explorer Summary
> In Windows Vista, Internet Explorer 7 runs in Protected Mode, which
> helps protect users from attack by running the Internet Explorer
> process with greatly restricted privileges.
> Protected Mode is an important step forward in security for Internet
> Explorer (IE); it helps protect users from attack by running an IE
> process with greatly restricted privileges on Windows Vista. While
> Protected Mode does not protect against all forms of attack, it
> significantly reduces the ability of an attack to write, alter, or
> destroy data on the user's machine or to install malicious code.

So if this thing allows any code running in "Protected Mode" to bridge 
over to "not Protected mode" with just a local socket and other methods, 
then what good is it? What then did "Protected Mode" ever protect you 
from? Attackers who didn't know about local sockets or would never be 
clever enough to figure it out?

Consider that Local Intranet Zone will usually do NTLMv2 authentication 
without any user intervention. Even if he couldn't escape from 
"Protected Mode", an attacker who can open listening sockets can 
possibly grab NTLMv2 password hashes for offline cracking, or even 
forward those authentications to get into lots of other devices which 
will accept them, e.g. SSL VPNs.

This is just like UAC. Back when it came out, I thought UAC and the 
elevation token scheme were the coolest new OS security feature since 
W^X and ASLR. I gave props to Microsoft for enduring all the negativity 
they got for UAC. But when I learned that they had exempted their own 
executables from UAC with an "auto elevate" signature in the mainifest I 
just couldn't believe it.

With trembling hands, I clicked on the microsoft.com product features 
page and there it was: It was clearly promoting UAC and process 
elevation as a security feature. A Microsoft product turned out not to 
provide an effective security boundary after all. I was *shocked*.
On that day, my innocence was forever lost.

This is, IMHO, disingenuous of them to promote something as a feature 
which enhances security and then say later "No of course it's not a 
security boundary, whatever would make you think that?".

What possible definition of the term "security boundary" would _not_ 
encompass a facility for "running the Internet Explorer process with 
greatly restricted privileges" such that it "significantly reduces the 
ability of an attack to write, alter, or destroy data on the user's 
machine or to install malicious code"?!

If process elevation is not a "security boundary", then what does it 
elevate from, what does it elevate to, and what do you call the 
difference between them?

I assume others have reported this by now, but last I checked a year or 
so ago, some of these "auto elevate" processes in Vista were loading 
DLLs by names obtained from registry values that were writable by 
non-elevated tokens.

If you say something offers "protection" and people pay money to upgrade 
to this security-as-a-feature, and this "protection" is trivially 
bypassed, that's a security bug. You should fix it or give people their 
money back. Don't then say "well we never actually said it was a 
security boundary".

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ