Vulnerability Development mailing list archives
Re: Smashing Windows
From: "The Blueberry" <acr872k () hotmail com>
Date: Thu, 11 Apr 2002 21:16:45 +0000
Hi group,
While were on the topic, I'm wondering what techniques and/or programs would be of use to effectively audit windows operating systems and services specificallynt based?
For this you can use api monitors, registry, disk, etc... Some good tools can be found at www.sysinternals.com.
But if you search more specifically for something to target in depth one program or one function in the OS, look at win32 debuggers like SoftIce or alikes.
For example, privelage escelation, buffer overflows, format strings withinlocal programs or system services. Other than a few documents on format strings and buffer overflows, there isn't much information to help aid in the auditingof programs specifically of importance to the windows os.
I'm not aware of any papers on that subject but you can always take a look at phrack or at currently existing exploits as this can help you a bit.
Another main question is how exactly are local privelages gained? For example, under unix onlyprograms suid/sgid that are vulnerable can sometimes be exploited to gain root.Would there be the same thing or something similar to this under an nt environment? and if so, what?
It can be the same in NT: a service (IIS, etc...) that runs habitually under high privileges can give up his privileges by a buffer overflow or an input validation that fools the program into executing custom code supplied by the attacker...
Is there any information that I can be directed to that maybe i'm missing?as well as programs and other criteria of importance. Also, is there such things as race conditions under windows? Signal explotation? or things under windowsthat can be exploited that can't under *nix or vice versa.
Humm... race condition? Maybe but it's very unlikely for a NT program to use the temporary directory to put anything exploitable. Signal exploitation? No, AFAIK. Usually in Windows the great thing to exploit is user input; buffer overflows and input validation errors.
Any light or reference to information on this topic, considering it is broadscope would be greatly appreceated.
I'm not really aware of any general information about Windows's architecture in the field of security. Maybe others in the list will be able to help you more than me about this.
--TB _________________________________________________________________Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
Current thread:
- Smashing Windows Nicholas R. (Apr 10)
- Re: Smashing Windows Tim Morgan (Apr 11)
- <Possible follow-ups>
- Re: Smashing Windows The Blueberry (Apr 11)