Dailydave mailing list archives
Reverse Engineering is Hard :>
From: dave <dave () immunityinc com>
Date: Mon, 18 Oct 2010 16:56:38 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When a vulnerability is found in a worm, Immunity considers it "public" and so we don't have any qualms about releasing additional information about it. However, I was interested to see that the Stuxnet vulnerabilities were "kept under wraps" by various AV companies, and in today's case, oddly wrong. http://blog.eset.com/2010/10/15/stuxnet-paper-revision At the above URL ESET released an otherwise very good paper (is that BinNavi they used?) about StuxNet. But if you actually reverse engineer the StuxNet worm, and write up the vulnerabilities in it, you find out that they are not as described in the StuxNet paper revision. """ 3.6 Exploiting Unpatched 0-day in Task Scheduler To circumvent UAC (User Account Control) introduced into Windows operating systems starting from Windows Vista, Stuxnet exploits a vulnerability in the Task Scheduler service which allows it to elevate privileges. When UAC is enabled, application software started by an administrator runs with user privileges by default. In certain cases when an application requires administrative rights, the dialog box is displayed that prompts a user to allow privilege elevation (see figure bellow). Figure 3.24 – Dialog box prompting user to allow privilege elevation Exploiting this vulnerability in Task Scheduler allows Stuxnet to elevate its privileges up to SYSTEM level without displaying any interactive dialogs to the user, provided that the user is a member of local administrators group. """ Anyone with a CANVAS subscription (all of 3K USD! :>) can see that this is not true - the Task Scheduler exploit will get Local\SYSTEM regardless of what user it is run under. You do not have to be in the local administrator's group. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAky8tIYACgkQtehAhL0gheoPpACePRtWeY8x59aMA4AmuJvVdrP/ 7ZMAnA6Z+b7e8jWBLMI0gCIHdHQ1rPjD =lViw -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Reverse Engineering is Hard :> dave (Oct 21)