Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Reverse Engineering is Hard :>

From: dave <dave () immunityinc com>
Date: Mon, 18 Oct 2010 16:56:38 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When a vulnerability is found in a worm, Immunity considers it "public" and so we
don't have any qualms about releasing additional information about it.

However, I was interested to see that the Stuxnet vulnerabilities were "kept under
wraps" by various AV companies, and in today's case, oddly wrong.
http://blog.eset.com/2010/10/15/stuxnet-paper-revision

At the above URL ESET released an otherwise very good paper (is that BinNavi they
used?) about StuxNet. But if you actually reverse engineer the StuxNet worm, and
write up the vulnerabilities in it, you find out that they are not as described in
the StuxNet paper revision.

"""
3.6      Exploiting Unpatched 0-day in Task Scheduler
         To circumvent UAC (User Account Control) introduced into Windows operating
systems starting
from Windows Vista, Stuxnet exploits a vulnerability in the Task Scheduler service
which allows it to
elevate privileges. When UAC is enabled, application software started by an
administrator runs with
user privileges by default. In certain cases when an application requires
administrative rights, the dialog
box is displayed that prompts a user to allow privilege elevation (see figure bellow).
         Figure 3.24 – Dialog box prompting user to allow privilege elevation
         Exploiting this vulnerability in Task Scheduler allows Stuxnet to elevate
its privileges up to
SYSTEM level without displaying any interactive dialogs to the user, provided that
the user is a member
of local administrators group.
"""

Anyone with a CANVAS subscription (all of 3K USD! :>) can see that this is not true -
the Task Scheduler exploit will get Local\SYSTEM regardless of what user it is run
under. You do not have to be in the local administrator's group.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAky8tIYACgkQtehAhL0gheoPpACePRtWeY8x59aMA4AmuJvVdrP/
7ZMAnA6Z+b7e8jWBLMI0gCIHdHQ1rPjD
=lViw
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: