lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45B7D4F682A64DE09FDAE9AD70C0EB37@celsius>
Date: Wed, 21 May 2014 18:26:09 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Tavis Ormandy" <taviso-1TlbntoI6+xF6kxbq+BtvQ@...lic.gmane.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Beginners error: Hewlett-Packards driver software executes
	rogue binary C:\Program.exe

"Tavis Ormandy" <taviso-1TlbntoI6+xF6kxbq+BtvQ@...lic.gmane.org> wrote:

> "Stefan Kanthak" <stefan.kanthak-i47jiTeKxPI@...lic.gmane.org> wrote:
>
>> Hi @ll,
>>
>> several programs of the current Windows 7 driver software for the "HP
>> OfficeJet 6700" multifunction device execute a rogue program
>> C:\Program.exe
>>
>>
>
> It sounds like a bug, but why is this a security issue?

It's a DoS too.
But in the first hand its just AWFUL BAD coding and SLOPPY QA: "long"
filenames with embedded spaces exist for more than 20 years in Windows,
but some paid dimwits in companies like HP, Microsoft, McAfee, Synaptics,
... still dont get their code right.

> I can only imagine two possible scenarios
>
> 1. You've somehow made the root parition FAT32, in which case you're using a
> non-securable filesystem; Therefore not a security issue.
> 2. You've set a bad ACL on the root directory, therefore user error.

3. You think Windows' "user account control" is a security boundary.

UAC is but NOT a security boundary:

<http://technet.microsoft.com/magazine/2007.06.uac.aspx>

| Elevations and Security Boundaries
...

<http://support.microsoft.com/kb/2526083>

| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."

<http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx>

| It should be clear then, that neither UAC elevations nor Protected Mode IE
| define new Windows security boundaries. Microsoft has been communicating
| this but I want to make sure that the point is clearly heard.

<http://download.microsoft.com/download/0/e/9/0e922c03-8537-482f-b57c-aa385b3dee20/Security_Best_Practice_Guidance_for_Consumers.doc
>

| It's very important to remember that UAC prompts are not a security boundary
| - they don't offer direct protection.

> If you believe otherwise, please post details, as that would be an
> interesting discovery.

Every user account created during Windows setup is an administrator account,
so every user can create C:\Program.exe

Microsoft tries to sell "defense in depth" to their customers since they
started their "trustworthy computing" about 13 years ago. But they still
create administrator accounts during Windows setup, CreateProcess() still
has the idiosyncrazy to execute C:\Program.exe, and the WHQL certification
still let drivers pass which execute C:\Program.exe during installation and
operation.

This bad practice then yields software like the HP drivers.

regards
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ