Re: Foolproof Security Vulnerability

["Kevin (Sparty) Broderick" <sparty () UPSIDE NET>]

On Fri, 8 Dec 2000, Bryan Hughes wrote:

[CHOMP]
> A vulnerability exsists in FoolProof Security, in that it restricts
> certain programs to be executed only by name. By renaming a restricted
> program, it can be successfuly executed. This vulnerability can be used to
> sucessfully circumvent the security measures put forth by FoolProof, and
> even remove it entirely from the system.
[CHOMP--exploiting via FTP]
> Solution:
>
> A quick fix, would be the removal of the 'ftp' client (although it will
> still be possible to download a simple ftp client that will do the same
> job.)
>
> Additionally, any shortcuts to 'command' should be removed, as this method
> will not work without it.

A quick note on access restriction in 9x/ME:
I've looked at some other programs that attempt to lock the desktop as
well.  One of the issues I've noticed is the one listed above; any program
can be executed if its name matches an allowed name (or doesn't match a
disallowed name, depending on the method used).  The huge vulnerability
here is that if a user has write access to the file system, he or she can
copy a restricted executable (or download a foreign executable) to a name
he/she chooses.  Attempting to block this is damn near impossible, at
least in my experience, because even the Win9x Common Dialog Boxes allow
the copying and renaming of files (there are no explicit buttons to do so,
but try selecting a file and then hitting [F2] to rename it, or [CTRL]-[C]
to copy and then [CTRL]-[V] to paste, optionally in another directory).
The first solution is to compile a list of allowed executables and lock
the filesystem (Fortres for Windows will attempt this).  However, since
Windows 9x/Me isn't a multiuser OS by design, many apps expect to have
full reign over their environment.
In particular, Microsoft Office likes to make changes to its program
directory.  The scenario I've seen is that (a) a user is allowed to write
to the Microsoft Office directory with winword.exe, for example.  So the
user seeking additional access will start winword and copy command.com
(or explorer.exe or the other program of his or her choice) over the Excel
executable.  The user then runs "Excel" and has much greater access to the
system.  If the filesystem and registry are somehow locked, they are still
limited, but this scenario provides a way to execute arbitrary code even
in a controlled environment.
Incidentally, the place where I had to deal with the above scenario
eventually decided that trying to lock down the workstations made them too
difficult to use and resorted to Ghosting and reimaging as necessary.
YMMV.

--
                                                --Sparty
web: http://upside.net/~sparty/