Re: Win2K Local DoS?

[Mikael Olsson <mikael.olsson () ENTERNET SE>]

Kevin Stephenson wrote:
> I'm a bit out of my league here, but if a company wanted to physically
> secure their hardware (at least the power button and cord) and try to
> harden their Win2k Pro boxes in order to try and get some Orange Book level
> certification, aren't they fundamentally screwed because of things like
> this?

It's worse. As far as I'm able to tell, it should be IMPOSSIBLE to
get WinNT and W2K to comply to any useful degree of military
certification.

This was brought up on NTBugtraq around october last year, right
after Greg Hoglund publicized his findings about how the guts of
the NT security mechanisms work, in Phrack #55.

I wrote:
(this was about Red Book, but I assume that these basic requirements
 are part of all levels)
> According to Greg Hoglund, Red Book states that:
>   c. The reference validation mechanism must be small enough to be
>         subject to analysis and tests, the completeness of which can
>         be assured."[1]
>
> IMO, the fact that most services on NT machines run as LocalSystem
> expands the scope of reference validation mechanism quite a bit,
> doesnt it?
> Since LocalSystem can change the code which is run, it should
> be considered a part of it?
>
> One of the major culprits is IIS4, which cannot (easily?) be
> run as a user other than LocalSystem.
>
> Since these services are often rather complex, I assert
> that this behaviour expands the reference validation mechanism to
> something that is quite untestable.

[There's a hell of a lot more running as LocalSystem. Pretty much
every damn service, driver, etc, etc, there is runs as LocalSystem]

and Greg Hoglund agrees:
> Absolutely Brilliant!  Actually, NT isn't so bad - in terms of an OS.  It
> has some great features - the memory manager isn't too bad - and the SRM is
> great - the auditing architecture is very sound.  Why, then, does NT suck?
> Applications.  The apps break it - and as Mikael points out - IIS is one of
> the worst.  Just drop a process list - and find inetinfo.exe running as NT
> AUTHORITY/SYSTEM.  And using the impersonation API to drop the context of a
> thread is USELESS - I was talking w/ Dominique just the other day about
> this.  Dom pointed out how trivial it would be to simply call
> RevertToSelf() within your buffer overflow payload.  I guess the
> impersonation token is fairly useless then, isn't it.

[And by the way, a lot of the important back-end work in IIS is always run
 as LocalSystem, so you wouldn't even have to do RevertToSelf()]

So, how the hell Microsoft managed to get their patchwork certified is
beyond me. It could just be that some of the threats & bribes rumors
are true, no? :)

/Mike, just speculating

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se