[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Circumventing Critical Security in Windows XP
As you might not be aware, there are more of these 'flaws' in the
microsoft windows operating systems. Having admin priviliges means that
you can do anything with the system you want, for your actions to work
you need to have these rights and as suchs the flaw can only be
described as user error. You can not blame a vendor for including tools
to manage services. That would be the same as claiming that a unix root
user should not be able to do a rm -rf / it's up to users how stupid
they want to be, and you can't solve user ignorance with technical
So, my conclusion is that your find is just the OS working like it
should be. Microsoft put the sc command in the OS on purpose and it is
even described and explained by ms in the books and on sites as msdn and
technet so it's not a 'secret command' of any kind, heck you could use
net stop "some service" or do far worse with the REG and registry
commands or even wmi scripting and/or powershell than disabeling
services, and all of those are usable from the commandline. So again,
your find is not an exploit in any way, shape or form and it's also not
a security threat, it's simply the OS acting like it should :)
From: Andrew Barkley <barkley@xxxxxxx>
To: Jeroen <nowhereman@xxxxxxxxxx>
Subject: Re: Circumventing Critical Security in Windows XP
Date: Sat, 20 Feb 2010 04:20:46 -0000
Thank you for your reply.
Firstly, it goes without saying that given time, effort and resources,
exploitation of any kind will eventually succeed. However, exploitation
via this vector, now becomes a mere "tic in a box" so to speak. The
whole experience is instant, requiring no effort whatsoever, on the very
next reboot these critical security services are disabled.
Exploiting this vector does require Admin privileges, which is not
uncommon and also the default for most users, especially with regards to
Windows XP. Should this "specially created file" (HotFix.reg) now be
executed in any way, shape or form i.e. natively (disguised of course),
or even worse, embedded (obfuscated) within a harmless document,
spreadsheet etc; the consequences would be as follows:
I've discovered a vector for exploitation, that requires no effort
whatsoever to circumvent the security of critical security services in
all versions of Windows XP & W2K. The implications of this vector being
exploited are clear.
It goes without saying that should this discovery become public
knowledge, this would in fact make it a very effective tool in the hands
of miscreants to immobilise critical security functions i.e. firewall,
antivirus, intrusion protection etc. In my opinion, this vector is
certainly not a vulnerability nor a flaw so to speak, but rather a
functional design oversight.
NOTE: This same technique can be obfuscated in any unsuspecting
document, spreadsheet etc. Thus, unsuspecting victims would be unaware
that their system's critical security services have been disarmed,
leaving them compromised and exposed to further exploitation.
This very specific vector I've discovered requires a mere execution of
the following "specially prepared file" (HotFix.reg). The following
critical security services (as an example) will be registered as
disabled, and on the very next reboot these critical security services
will be disabled, thus leaving the user exposed and unprotected.
To further demonstrate the real effectiveness and simplicity of
exploiting this vector, I've also packaged together the following simple
Example of critical security services affected
* ISS Proventia
* Trusteer Rapport
------ Original Message ------
Received: Fri, 19 Feb 2010 03:42:55 PM GMT
From: Jeroen <nowhereman@xxxxxxxxxx>
Subject: Re: Circumventing Critical Security in Windows XP
I'm unable to reproduce your find on an unpatched XP machine,
one with SP1 and one with SP2.
The only way I can reproduce the problem is by executing the
administrator which kind of defeats the whole purpose of your
When I run the command (as a normal user) as stated by you I get
error that manual is not a valid state, only boot|system|auto|
disabled seem to be valid. When trying disabled, I get the
notice that I
do not have sufficient rights.
Can you be more precise as to how and what you have tested?
bug is triggered by a certain hotpatch or otherwise?
Subject: Circumventing Critical Security in Windows XP
Date: 17 Feb 2010 14:04:12 -0000
I've detailed below just how easy (too easy) it is to circumvent
security of the following critical security services. Thus can't
It goes without saying that malware on entering a system by
means, and on detecting critical security services, can now even
easily (automated/scripted) disarm critical security services,
modifying unprotected registry entries, for whatever malevolent
I've created registry entries (I can send these to you should
interested) to demonstrate just how easy it is to circumvent
security of these critical security services, which
all too easily a very effective way of immobilising critical
functions i.e. firewall, antivirus etc. This in my opinion is
certainly not a vulnerability nor a flaw so to speak, but rather
functional design oversight?
I've verified this against the following with success. After
registry modifications have been effected and the system
these critical services will be disarmed.
On successfully disarming these security services, one could
the following to then further manipulate the drivers & services,
reconfiguring their startup parameters to 'manual' and not
'automatic', or just disable them alltogether.
i.e. The following will reconfigure the startup parameters to
and not 'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
C:\>sc config McTaskManager start= demand
C:\>sc config McAfeeFramework start= demand
C:\>sc config Pointsec_start start= demand
C:\>sc config Pointsec start= demand