[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Circumventing Critical Security in Windows XP



Hi Andrew,

As you might not be aware, there are more of these 'flaws' in the
microsoft windows operating systems. Having admin priviliges means that
you can do anything with the system you want, for your actions to work
you need to have these rights and as suchs the flaw can only be
described as user error. You can not blame a vendor for including tools
to manage services. That would be the same as claiming that a unix root
user should not be able to do a  rm -rf /  it's up to users how stupid
they want to be, and you can't solve user ignorance with technical
solutions.
So, my conclusion is that your find is just the OS working like it
should be. Microsoft put the sc command in the OS on purpose and it is
even described and explained by ms in the books and on sites as msdn and
technet so it's not a 'secret command' of any kind, heck you could use
net stop "some service" or do far worse with the REG and registry
commands or even wmi scripting and/or powershell than disabeling
services, and all of those are usable from the commandline. So again,
your find is not an exploit in any way, shape or form and it's also not
a security threat, it's simply the OS acting like it should :)

Regards,
Jeroen

-----Original Message-----
From: Andrew Barkley <barkley@xxxxxxx>
To: Jeroen <nowhereman@xxxxxxxxxx>
Subject: Re: Circumventing Critical Security in Windows XP
Date: Sat, 20 Feb 2010 04:20:46 -0000

Hi, 


Thank you for your reply. 


Firstly, it goes without saying that given time, effort and resources,
exploitation of any kind will eventually succeed. However, exploitation
via this vector, now becomes a mere "tic in a box" so to speak. The
whole experience is instant, requiring no effort whatsoever, on the very
next reboot these critical security services are disabled. 

Exploiting this vector does require Admin privileges, which is not
uncommon and also the default for most users, especially with regards to
Windows XP. Should this "specially created file" (HotFix.reg) now be
executed in any way, shape or form i.e. natively (disguised of course),
or even worse, embedded (obfuscated) within a harmless document,
spreadsheet etc; the consequences would be as follows: 


In Summary 
I've discovered a vector for exploitation, that requires no effort
whatsoever to circumvent the security of critical security services in
all versions of Windows XP & W2K. The implications of this vector being
exploited are clear. 

It goes without saying that should this discovery become public
knowledge, this would in fact make it a very effective tool in the hands
of miscreants to immobilise critical security functions i.e. firewall,
antivirus, intrusion protection etc. In my opinion, this vector is
certainly not a vulnerability nor a flaw so to speak, but rather a
functional design oversight. 

NOTE:  This same technique can be obfuscated in any unsuspecting
document, spreadsheet etc. Thus, unsuspecting victims would be unaware
that their system's critical security services have been disarmed,
leaving them compromised and exposed to further exploitation. 

This very specific vector I've discovered requires a mere execution of
the following "specially prepared file" (HotFix.reg). The following
critical security services (as an example) will be registered as
disabled, and on the very next reboot these critical security services
will be disabled, thus leaving the user exposed and unprotected. 

To further demonstrate the real effectiveness and simplicity of
exploiting this vector, I've also packaged together the following simple
executable (HotFix.exe). 


Example of critical security services affected 
      * BlackICE
      * McAfee
      * Pointsec
      * ISS Proventia
      * ZoneAlarm
      * Avast
      * AVG
      * Trusteer Rapport 


Kind regards 

Andrew Barkley 


------ Original Message ------ 
Received: Fri, 19 Feb 2010 03:42:55 PM GMT 
From: Jeroen <nowhereman@xxxxxxxxxx> 
To: barkley@xxxxxxx 
Subject: Re: Circumventing Critical Security in Windows XP 


        Hey andrew, 
        
        I'm unable to reproduce your find on an unpatched XP machine,
        aswell as 
        one with SP1 and one with SP2. 
        The only way I can reproduce the problem is by executing the
        commands as 
        administrator which kind of defeats the whole purpose of your
        'bug'. 
        When I run the command (as a normal user) as stated by you I get
        the 
        error that manual is not a valid state, only boot|system|auto|
        demand| 
        disabled seem to be valid. When trying disabled, I get the
        notice that I 
        do not have sufficient rights. 
        
        Can you be more precise as to how and what you have tested?
        Maybe the 
        bug is triggered by a certain hotpatch or otherwise? 
        
        Regards, 
        Jeroen 
        
        -----Original Message----- 
        From: barkley@xxxxxxx 
        To: bugtraq@xxxxxxxxxxxxxxxxx 
        Subject: Circumventing Critical Security in Windows XP 
        Date: 17 Feb 2010 14:04:12 -0000 
        
        Hi, 
        
        
        I've detailed below just how easy (too easy) it is to circumvent
        the 
        security of the following critical security services. Thus can't
        now 
        become can! 
        
        It goes without saying that malware on entering a system by
        whichever 
        means, and on detecting critical security services, can now even
        more 
        easily (automated/scripted) disarm critical security services,
        just by 
        modifying unprotected registry entries, for whatever malevolent 
        purposes. 
        
        I've created registry entries (I can send these to you should
        you be 
        interested) to demonstrate just how easy it is to circumvent
        the 
        security of these critical security services, which
        unfortunately is 
        all too easily a very effective way of immobilising critical
        security 
        functions i.e. firewall, antivirus etc. This in my opinion is 
        certainly not a vulnerability nor a flaw so to speak, but rather
        a 
        functional design oversight? 
        
        I've verified this against the following with success. After
        these 
        registry modifications have been effected and the system
        rebooted, 
        these critical services will be disarmed. 
        
        BlackICE 
        McAfee 
        Pointsec 
        ISS Proventia 
        ZoneAlarm 
        
        On successfully disarming these security services, one could
        also use 
        the following to then further manipulate the drivers & services,
        by 
        reconfiguring their startup parameters to 'manual' and not 
        'automatic', or just disable them alltogether. 
        
        i.e. The following will reconfigure the startup parameters to
        'manual' 
        and not 'automatic' (default) 
        C:\>sc config VPatch start= demand 
        C:\>sc config BlackICE start= demand 
        C:\>sc config McShield start= demand 
        C:\>sc config McTaskManager start= demand 
        C:\>sc config McAfeeFramework start= demand 
        C:\>sc config Pointsec_start start= demand 
        C:\>sc config Pointsec start= demand 
        
        
        Cheers 
        
        Andrew Barkley 
        (-_-)