New Windows exploit: "Shatter"

[Tobiasly]

Quote:

Originally posted by headsplice
Actually, it was Windows 2000, now that I look back at articles and discussions. My apologies for the error. Yes, it took lots and lots of man-hour-years to rebuild Windows.

I'll make my case once more and then let this die. They did not rebuild Windows for 2000. They didn't rebuild it for XP. One could argue that the original Windows NT was rebuilt, but that was hardly "from the ground up", since it had to have a considerable degree of backwards compatibility with previous Windows versions.

The low-level API message passing structure, which is the cause of this problem, remained largely the same when they wrote NT. It had to be, and has to be, because otherwise Windows programs would stop working.

But regardless, my point is that your frustration at Microsoft not "plugging this hole" is unfounded. Be pissed because they wrote a crappy OS with such a shaky foundation. Be pissed because they try to extend thier desktop-OS monopoly into every other market. Be pissed that there's no OS-level mechanism for preventing crappy programs like AOL from spewing shit all over your desktop and rearranging your file extensions. But you can't be pissed that they're not fixing this problem, because as the article points out, it's pretty much unfixable.

If you still want to state that they rewrote Windows from scratch, please provide links to the articles you're using for reference.

[jaguar]

btw maggie, this HAS to be a blackbag job - it requires physical access. Although you could *in theory* i *think* do it over some kind of remote desktop app, but i wouldn't be sure.

<b>This particular exploit</b> requires physical access. That doesn't mean that a program downloaded from CNET's download.com couldn't do it too. And I'm sure a remote desktop app would work just dandy.

Who knows how this flaw can and will be exploited...

[MaggieL]

Quote:

Originally posted by jaguar
btw maggie, this HAS to be a blackbag job - it requires physical access. Although you could *in theory* i *think* do it over some kind of remote desktop app, but i wouldn't be sure.

You'd be sure if you'd actually read the whole paper.

[MaggieL]

Appropos of some of the dismissive attitudes about this paper, I'm including a response from the editor of the reasonably authoritiative NTbugtraq...
<blockquote>
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Re: White paper: Exploiting the Win32 API.

Boy what a flurry.

Most people posting are saying;

a) This is a non-issue, its entirely due to poor programming practice. Bad Vendors write services marked as SERVICE_INTERACTIVE_PROCESS, install as LocalSystem and autostart, then add a GUI or any other sort of message receiver. The bind to WinSta0 and, as a result, open themselves to attack. Bad Bad Vendors.

b) But, since we've known about this issue for so long, nobody ever does this (note exception in point #1 above).

c) Oh, and since you need to get code onto the system in order to do this, *this* stuff is irrelevant, if I can get code on your system you're already owned.

Since dullien@gmx.de decided to post saying that this FUD was, in part, my fault for allowing it through, my observations follow;

1. There are far too many Bad Bad Vendors.

2. How you going to check to see if a Vendor is Bad or not? Look to see if his service installed as LocalSystem?? That's no answer. Look to see if he has a Window as part of his interface? That's no answer. Ask them?? Yeah, right! Paget has, at least, provided a tool and explanation sufficient to start checking. Certainly not a solution, but I have a stinking suspicion most of you weren't checking before this paper...despite it being so old and, for some, so well known.

3. Am I the only one who noticed Paget's reference to DDE Server??? Did I miss that reference in the past research others have pointed to?

4. To the bit about owning a machine because you got code on it...come on. You can't own a machine until you get code on it, whether that's via a flawed ISAPI filter, malicious email, web page, or virus. When exploitation of AEDebug was discovered it wasn't deemed a non-issue. If every virus ran in the context of LocalSystem, viruses would cause far more damage than they do today. Its also worth considering auditing in all of this.

5. More than a few people have said he hasn't proven his contentions wrt the OS being vulnerable (e.g. DDE Server or something else that ships as a default component of an OS). I, for one, am glad that he has, so far, chosen not to provide a sample exploit prior to MS' analysis. Be skeptical all you want, but some of the messages I've read could be poster children for the reasons some discoveries come out as 0day exploits attacking you en-masse.

IMO the dismissive attitude towards Paget's work comes from his contention its an "entirely new class of attacks". Fine, argue that if you want, make him humble himself before all those who previously discussed these issues, but thank him for a tool and recent analysis that brings it to our attention again.

At the very least his paper held the tool, a security vulnerability in Viruscan, and an indication that DDE Server may be vulnerable.

Cheers,
Russ - NTBugtraq Editor

</blockquote>

[russotto]

Well, it's true that it's NOT an entirely new class of attack. It's somewhat similar to the old TIOCSTI/TIOCNOTTY (a.k.a ttydev) attack on UNIX, and related attacks against x-windows (ask a certain UMCP sysadmin about xhost -- I think his systems were rooted by every hacker at the place)

This one's even broader in scope, though -- those only gave you control of the running program. This gives you full access AS the running program.

[jaguar]

Ill read over it again. The first time i was replicating it as i went.

Dham the way i see it you need to have a remote desktop app running, physical access to a way of executing arbitary code on the machine. If you've alredy used another exploit to run code this woudl not be the most efficient way to raise your privliges.

The key thing is you need to have a window you can enter text and you need to know its window handle. I'm not familiar enough with the windows API to know if you could get the handle without a desktop but you could open a window up by opening a new process. Either way you need to be able to execute code on the machines which requires some privliges.
For corperate networks its gonna be hell, we're gonan be installing a few things at school in the near futures as it is but its not a remote exploit the same way a hole in OpenSSH is.