Vulnerability Development mailing list archives
Re: Win2K Local DoS?
From: Mikael Olsson <mikael.olsson () ENTERNET SE>
Date: Mon, 7 Aug 2000 14:57:26 +0200
Kevin Stephenson wrote:
I'm a bit out of my league here, but if a company wanted to physically secure their hardware (at least the power button and cord) and try to harden their Win2k Pro boxes in order to try and get some Orange Book level certification, aren't they fundamentally screwed because of things like this?
It's worse. As far as I'm able to tell, it should be IMPOSSIBLE to get WinNT and W2K to comply to any useful degree of military certification. This was brought up on NTBugtraq around october last year, right after Greg Hoglund publicized his findings about how the guts of the NT security mechanisms work, in Phrack #55. I wrote: (this was about Red Book, but I assume that these basic requirements are part of all levels)
According to Greg Hoglund, Red Book states that: c. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured."[1] IMO, the fact that most services on NT machines run as LocalSystem expands the scope of reference validation mechanism quite a bit, doesnt it? Since LocalSystem can change the code which is run, it should be considered a part of it? One of the major culprits is IIS4, which cannot (easily?) be run as a user other than LocalSystem. Since these services are often rather complex, I assert that this behaviour expands the reference validation mechanism to something that is quite untestable.
[There's a hell of a lot more running as LocalSystem. Pretty much every damn service, driver, etc, etc, there is runs as LocalSystem] and Greg Hoglund agrees:
Absolutely Brilliant! Actually, NT isn't so bad - in terms of an OS. It has some great features - the memory manager isn't too bad - and the SRM is great - the auditing architecture is very sound. Why, then, does NT suck? Applications. The apps break it - and as Mikael points out - IIS is one of the worst. Just drop a process list - and find inetinfo.exe running as NT AUTHORITY/SYSTEM. And using the impersonation API to drop the context of a thread is USELESS - I was talking w/ Dominique just the other day about this. Dom pointed out how trivial it would be to simply call RevertToSelf() within your buffer overflow payload. I guess the impersonation token is fairly useless then, isn't it.
[And by the way, a lot of the important back-end work in IIS is always run as LocalSystem, so you wouldn't even have to do RevertToSelf()] So, how the hell Microsoft managed to get their patchwork certified is beyond me. It could just be that some of the threats & bribes rumors are true, no? :) /Mike, just speculating -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Win2K Local DoS? Kevin Stephenson (Aug 03)
- Re: Win2K Local DoS? Dimitry Andric (Aug 03)
- Re: Win2K Local DoS? Alexander Sanda (Aug 03)
- Re: Win2K Local DoS? LordRaYden (Aug 05)
- <Possible follow-ups>
- Re: Win2K Local DoS? Oliver Friedrichs (Aug 03)
- Re: Win2K Local DoS? Maxime Rousseau (Aug 05)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? Kevin Stephenson (Aug 06)
- Re: Win2K Local DoS? Mikael Olsson (Aug 08)
- Re: Win2K Local DoS? Nicolas Rachinsky (Aug 09)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? pantera (Aug 05)
- Re: Win2K Local DoS? bfiero (Aug 09)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)
- Re: Win2K Local DoS? Richard Rager (Aug 14)
- Re: Win2K Local DoS? Timothy J. Miller (Aug 10)