Author Topic: Shameless Plug  (Read 8133 times)

0 Members and 1 Guest are viewing this topic.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Shameless Plug
« on: May 15, 2007, 12:14:10 pm »
In a blog by iago about me, he talks about a security vulnerability I disclosed to Bugtraq regarding a Trojan-style exploit that takes advantage of the composition of the Start Menu to effectively trick a user to elevate a proxy program to administrative privileges.  See the blog entry and related whitepaper for the details. ;)
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Shameless Plug
« Reply #1 on: May 15, 2007, 12:58:34 pm »
Very interesting read

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Shameless Plug
« Reply #2 on: May 15, 2007, 02:08:24 pm »
I'm on the fence as to whether you'd really call this a security vulnerability than more of a social engineering attack.

Furthermore, once you have already run malicious code with (even limited) write access, you can by definition not trust anything that the code could have written to.

Code signing can mitigate this, but it still isn't foolproof (e.g. could replace a new version of an app with an old version that has a security hole).  More to the point, you shouldn't be elevating programs sourced from a location that is writable to plain users in the first place.

You can look at UAC in two lights:

1) As a way to make it more convenient to run as a plain user, by providing a seamless elevation path for known-good administrative tools run from a secure location, as opposed to having them just fall over and die when you run them.
2) As a diaper for those "Oh, shit, I just ran malicious code" moments.  This isn't something you should be relying on anyway (consider that your secret documents on that user account are -already- toast and copies are already on their way to China or who knows where, after your local copies have been deleted).

Some people market UAC as a security feature.  In as much as it helps users run with lesser privileges, this is good, but if you value your data more than your system files, you still need to be careful (or run untrusted things in an isolated user account that doesn't have read access to your personal data).

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #3 on: May 15, 2007, 03:24:45 pm »
I'm on the fence as to whether you'd really call this a security vulnerability than more of a social engineering attack.
I think it's more of a social engineering attack, but it allows a malicious user to bypass UAC's protection.

You're right that people shouldn't run untrusted code in their profiles, but in the real world people do, every day. And because of attacks like this, UAC isn't going to save them.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Shameless Plug
« Reply #4 on: May 15, 2007, 04:51:10 pm »
Yes, and UAC is not supposed to save you if you run malicious code as your user.  That's a misunderstanding of what the technology allows.  Think of it more as what sudo does for unix; just because it's there doesn't mean that you are supposed to run any old untrusted program you can find.

UAC (and the filesystem/registry virtualization technology) is an attempt towards making it possible for every day users to work as a limited user.  It is not designed to make you immune to negative effects if you run malware as your account.  There are other measures that attempt to do that, though they won't prevent someone from stealing data, only deleting it.

There is a reason why UAC isn't considered an anti-malware/anti-exploit feature by SWI.

(Disclaimer: Yes, there are marketing droids out there that will try to sell UAC as something that blocks malware.  I'll remind everyone that marketing droids neither design nor implement product features in the typical scenario.)
« Last Edit: May 15, 2007, 05:00:55 pm by Skywing »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #5 on: May 15, 2007, 05:18:56 pm »
I understood that UAC was supposed to help prevent viruses and such. If it doesn't, then I had misunderstood the problem.

It can, however, still do more to help prevent malware from potentially exploiting this (would never be 100%, though).

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Shameless Plug
« Reply #6 on: May 15, 2007, 05:27:07 pm »
What's the point of running at a lower-than-administrator privilege level?  In every security book and article I've ever read, it's (and this is paraphrased) so that the entire system doesn't get fucked up when you do something stupid.  Why run services in session 0 and users in session 1 and above?  So that it's harder to implement an escalation-of-privilege attack.

UAC is designed to:
1.) separate the user from running all the time with administrative credentials.
2.) allow the user a convenient experience to provide a program with administrative credentials.
3.) ensure the user knows when administrative credentials are being requested by a program.
4.) help the user decide whether to grant administrative access to a program.

I think of this more as an exploit/attack.  It most certainly requires user intervention to get it to work.  But I guarantee you that one day or another, something on your start menu will need to be run with administrative privileges.  Getting the stuff there is going to be just as common as the old days, too; as I said in my blog, "What happens when Aunt Gladys gets a new photo gallery from her favorite son in law and it turns out to be a Trojanned executable, but the message is believable enough to be run (all of you have Aunt Gladys in your family; don't deny it)."

UAC helps to sandbox the effects of malicious code.  This exploit bypasses that sandboxing by injecting the malicious code into a position for it to be elevated without the user's knowledge, thus circumventing the 3rd and 4th design points of UAC above.

I don't see a logical separation between running as a limited user and a security feature.  Microsoft lists running-with-least-privilege as a security design point in "Writing Secure Code" (Microsoft Press).  For Windows, UAC makes that happen.  To not call it a security feature is like denying an orange is a fruit.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Shameless Plug
« Reply #7 on: May 15, 2007, 05:59:37 pm »
The point of running with less than administrative permissions is so that you can provide a baseline level of security against attacks by isolating things a compromised account can effect.  By running as a "plain user", damage is limited to just the account that is compromised and not the system as a whole.

Everything that can be written to by that account should be regarded as suspect and potentially compromised as well, however.

UAC is a convenience to make it easier to live with running with less than administrative permissions.  It doesn't provide any additional security beyond that conferred by running as a limited account.

Note that if you are using a single-user computer and do not take steps to isolate tasks you do into different user accounts, then for all intents and purposes, a compromise of that account is as dangerous as a compromise of an administrative account (save that you are potentially spared the relatively minor part of reinstalling the operating system, compared to something attacking your data).

UAC does provide some basic guidance in the elevation user interface as to whether a program requesting administrative access has been signed or not.  What this means to the user is that it provides a quick mechanism to gauge whether they are launching the program they think that they are launching and not something else.  Of course, if the program isn't signed, and the path isn't one that you know is not writable except by administrators, then you really don't have any guarantee that someone without administrative permissions isn't trying to trick you into running their program elevated.

If the program is signed, then you (as the user) need to make a decision as to whether you trust that whoever signed the program hasn't lost their private key, and that they won't sign malicious code, and that they have never in the past signed malicious code or code with security vulnerabilities that would allow a medium integrity process to succefully attack a program that is launched with administrative permissions, and that no CA your computer trusts has been compromised.

It would also be a good idea to check the command line of the program in question (from the "Details" drop down) to ensure that someone isn't trying to do something evil via a known trusted program.

If you don't follow these steps, then you're leaving yourself open to being tricked into turning a plain user account compromise into an administrative account compromise.

As far as the "Aunt Gladys" case goes - sure, she's likely to get herself into trouble there, just as if UAC wasn't there.  Keeping your computer from being fully compromised requires a detailed knowledge of how lots of parts of your operating system work, something that most end users aren't going to grok fully enough to protect themselves against every clever style of attack out there.  Security is still hard; UAC may save some time and frustration here and there with respect to running things as a limited user, but it doesn't absolve the end user from having to be vigilant and suspicious of each and every elevation prompt and exercise their gray matter in order to make a determination as to whether to grant or deny the request.

Your attack is certainly one that will likely prove effective if users aren't careful, and I'm not trying to downplay that by any means.  However, it is difficult to claim that it is a security vulnerability when it relies upon users not making use of the tools made available to them (which is required to ensure that elevation requests for a malicious program aren't accidentally granted).
« Last Edit: May 15, 2007, 06:02:53 pm by Skywing »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #8 on: May 22, 2007, 12:01:11 pm »
This story was picked up by a ZDnet blogger: http://blogs.zdnet.com/security/?p=203

From a quick glance, the post seems really well done. Much better than mine! :)

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Shameless Plug
« Reply #9 on: May 22, 2007, 05:41:39 pm »
Damn. BOTH of you got mentioned! Incredible. :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Shameless Plug
« Reply #10 on: May 22, 2007, 07:34:41 pm »
This story was picked up by a ZDnet blogger: http://blogs.zdnet.com/security/?p=203

From a quick glance, the post seems really well done. Much better than mine! :)
Spiffy, thanks!
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #12 on: May 23, 2007, 01:05:35 am »
That's actually pretty impressive!

I'll submit it to Slashdot tomorrow morning and link to the best article I see (possibly zdnet, it looked really good). They didn't take it last time, but you never know!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Shameless Plug
« Reply #13 on: May 23, 2007, 01:31:11 am »
Incidentally, I found another one that seems to be copy-pasted: http://vista.blorge.com/2007/05/21/researcher-reveals-2-step-microsoft-vista-uac-hack/

I'm rather disappointed in the number of copies I've seen.  I guess news doesn't have to be original, but a LOT seems to be word-for-word duplicates.

Kind of bizarre I thought....
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #14 on: May 23, 2007, 10:39:18 am »
Yeah, I hate to break it to you, but that's pretty much par for the course. A lot of news people are lazy.

Just think of it as a mini version of the associated press. If the AP runs an article, you'll see literally 100's of identical copies of it everywhere.

By the way, you should read the comments on ZDNet. Some of them are really insightful. Others, of course, are stupid. But specifically, what do you think of this one? Could you wait for programs to be downloaded and modify them, without UAC prompting?

I realize that, like Skywing said, this isn't what UAC is intended for, but in reality it's being used in this way. Is this another potential attack?

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Shameless Plug
« Reply #15 on: May 23, 2007, 10:49:23 am »
Again, you should not be elevating programs run from a location where a plain user can write to them.  Modifying the main .exe might cause the signature check to fail, but this not something you should be relying on exclusively (consider that, for instance, a dependent DLL in the same directory could be altered).

If you continue to view UAC as something designed to provide complete protection against malware, then yes, you'll have no difficulty in finding holes by virtue of design decisions.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #16 on: May 23, 2007, 11:11:25 am »
I think that it should be more publicized that UAC doesn't provide complete protection against malware, because I got the opposite impression from marketing stuff. I wonder if they'll make token moves to try to fix this type of issue as it comes up?

But the idea behind the attack I just mentioned is that it would wait until you downloaded a file, such as setup.exe, from some site. Somewhere between downloading it and running it, the virus would infect setup.exe.

I can't think of any way that UAC could protect against that type of attack, it's pretty much hosed there.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Shameless Plug
« Reply #17 on: May 23, 2007, 11:37:50 am »
I agree with you completely; good luck in getting Marketing@Microsoft to take the correct approach, however, especially after the fact.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #18 on: May 24, 2007, 06:08:10 pm »
I wrote another blog about a similar issue with Sudo, and, in general, about why it is hopeless to prevent malware this way. Once this goes through, I might write a third blog talking about why, in more abstract terms, this problem won't be solved on the current user-separation paradigm. PR has the blog right now, hopefully they'll approve it (I'm sure they will), then I'll post a link to it here.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Shameless Plug
« Reply #19 on: May 27, 2007, 03:13:10 am »
Well, it's two days now. Any word back from them? That'd be an interesting read, since I tend to care more about Linux than Vista.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Shameless Plug
« Reply #20 on: May 27, 2007, 10:34:01 am »
They haven't said no yet, so it's likely good to go. We post one/day and I'll let you know when mine gets to the top.