Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft does it again



Techincally, if I read it right, it is not Microsoft's fault completely.
MSFT is definitely at fault for providing a easy conduit for this to
happen, but isn't the problem with the AV scanner he is telling to run his
code? All he is doing is feeding some shellcode to a program that is
running as "root". Running a program with a privliged account that is
directly accessible to the user like that is bad. 

(For example, Norton Corp Ed. has a engine running as LocalSystem, but the
UI is running as the account logged in, IIRC)

						~Ben

--
/"\	Ben Jackson
\ /     bejackso at lynx.dac.neu.edu - http://piro.dnsq.org/~bbj
 X      Member of the ASCII Ribbon Campaign Against HTML Mail
/ \



On Tue, 6 Aug 2002, Bill Bogstad wrote:

> 
> Derek Kramer wrote:
> On Tue, 6 Aug 2002, Derek D. Martin wrote:
> >
> >> If you're relying on Windows privileges to secure your network, you're
> >> basically screwed.  A whitepater was released today detailing how to
> >> gain localsystem privileges on any Win32-based platform.  And the
> >> kicker is, because it takes advantage of a fundamental flaw in the
> >> design of Windows, it's basically unpatchable, requiring a complete
> >> overhaul of the Windows messaging system to fix.
> >> 
> >> And the best part is, if you're providing terminal services via a
> >> Citrix server, anyone can own your server, and you'll never be able to
> >> stop them...
> >> 
> >>   http://security.tombom.co.uk/shatter.html
> >
> >I read this in detail, and I hate to admit that I agree with Microsoft.   
> >Once bad people are sitting logged onto your machine, you should already 
> >considered it compromised, regardless of what techniques the bad person 
> >has at their disposal.
> 
> So a command line overflow exploit in a setuid-root ps binary on a
> UNIX machine is unimportant because you shouldn't ever let 'bad
> people' have a login on your machine?  I thought security was about
> being able to limit the resources that a user could access on a
> machine even when they had some level of legal access.  You seem to be
> advocating a security model of 'good' and 'bad' users where 'good
> users' can do anything and 'bad users' can do nothing.  Maybe you
> missed the part where this worked via terminal services as well.  You
> don't need physical access, apparently you only need the equivalent of
> a UNIX login.  I believe that any operating system vendor who claims
> that something isn't a security issue because you have to have some
> level of valid access to exploit it should be condemmed. PERIOD.
> 
> 				Bill Bogstad
> 				bogstad at pobox.com
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org