Bugtraq mailing list archives
Re: Foolproof Security Vulnerability
From: "Kevin (Sparty) Broderick" <sparty () UPSIDE NET>
Date: Tue, 10 Oct 2000 21:42:22 -0400
On Fri, 8 Dec 2000, Bryan Hughes wrote: [CHOMP]
A vulnerability exsists in FoolProof Security, in that it restricts certain programs to be executed only by name. By renaming a restricted program, it can be successfuly executed. This vulnerability can be used to sucessfully circumvent the security measures put forth by FoolProof, and even remove it entirely from the system.
[CHOMP--exploiting via FTP]
Solution: A quick fix, would be the removal of the 'ftp' client (although it will still be possible to download a simple ftp client that will do the same job.) Additionally, any shortcuts to 'command' should be removed, as this method will not work without it.
A quick note on access restriction in 9x/ME: I've looked at some other programs that attempt to lock the desktop as well. One of the issues I've noticed is the one listed above; any program can be executed if its name matches an allowed name (or doesn't match a disallowed name, depending on the method used). The huge vulnerability here is that if a user has write access to the file system, he or she can copy a restricted executable (or download a foreign executable) to a name he/she chooses. Attempting to block this is damn near impossible, at least in my experience, because even the Win9x Common Dialog Boxes allow the copying and renaming of files (there are no explicit buttons to do so, but try selecting a file and then hitting [F2] to rename it, or [CTRL]-[C] to copy and then [CTRL]-[V] to paste, optionally in another directory). The first solution is to compile a list of allowed executables and lock the filesystem (Fortres for Windows will attempt this). However, since Windows 9x/Me isn't a multiuser OS by design, many apps expect to have full reign over their environment. In particular, Microsoft Office likes to make changes to its program directory. The scenario I've seen is that (a) a user is allowed to write to the Microsoft Office directory with winword.exe, for example. So the user seeking additional access will start winword and copy command.com (or explorer.exe or the other program of his or her choice) over the Excel executable. The user then runs "Excel" and has much greater access to the system. If the filesystem and registry are somehow locked, they are still limited, but this scenario provides a way to execute arbitrary code even in a controlled environment. Incidentally, the place where I had to deal with the above scenario eventually decided that trying to lock down the workstations made them too difficult to use and resorted to Ghosting and reimaging as necessary. YMMV. -- --Sparty web: http://upside.net/~sparty/
Current thread:
- Foolproof Security Vulnerability Bryan Hughes (Dec 11)
- Re: Foolproof Security Vulnerability Kevin (Sparty) Broderick (Dec 12)
- Re: Foolproof Security Vulnerability Seth Arnold (Dec 12)
- Re: Foolproof Security Vulnerability H D Moore (Dec 13)