Windows Vulnerable To 'Token Kidnapping' Attacks

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

Yes

[XanC]

It doesn't do anything useful.

Windows Vulnerable To 'Token Kidnapping' Attacks

[omar.sahal]

if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

• win 95, usability of GUI
• win xp, stability of software, less crashes
• xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
• windows 7, all the above and smaller foot print when installed

Re:About Software

[Anonymous Coward]

Yep. It buggers up the prompt.

  printf("hello, world\n"); /*is better*/

*This message was compiled with -pedantic.

Re:About Software

[ckdake]

I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

Re:Yes

[pspahn]

Demonstrating "hello world" is useful to someone new to programming.

Re:Apple replies

[bsDaemon]

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

Re:Apple replies

[Bengie]

I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

And some quotes from the above link

"regularWindows users can’t exploit them"

"if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

It's bad, but not *as* horribly bad as the title suggests.

A properly locked down Windows machine should have been mostly immune to this anyway.

I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:About Software

[buanzo]

You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

Re:Apple replies

[Anonymous Coward]

If you need citations for those things, then it's you who desperately needs the clue.

Re:Yes

[davester666]

Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

Re:About Software

[gringer]

you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

Re:"... by any user with impersonation rights."

[Anonymous Coward]

Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.

Old News

[dzr0001]

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

Re:Apple replies

[Whuffo]

Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as useful as trying to bail out the ocean with a teacup.

Their "authenticode" signatures are just an example of "security through obscurity" and have already been compromised. All of the other security fixes are nice, but they don't deal with the gaping wide holes that MS has built into their products. It doesn't matter how many buffer overflows you fix (they claimed they were all fixed - not so) or how you partition memory - when you give execute privileges to code downloaded from the web you're bypassing all of those "security" restrictions. Am I being clear enough here? Microsoft has built into their operating systems services and programs which download and execute code from the internet. Everything else is useless when you leave this door wide open.

Sure, all operating systems are subject to having their bugs be exploited. But it appears that Windows is the only one which has these "come screw me" doors wide open - can they be closed? By the average user? Sheesh.

Re:About Software

[BitZtream]

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.

It may not crash, but yes, its broken and buggy by my standards. You should probably not act like such a cocky fuck if you plan on doing any job interviews.

Re:"... by any user with impersonation rights."

[TheLink]

Yeah.

That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.

Re:Apple replies

[Jaime2]

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.