Forgot your password?
typodupeerror
Security Windows

Windows Vulnerable To 'Token Kidnapping' Attacks 126

Posted by timothy
from the token-of-my-affection dept.
cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."
This discussion has been archived. No new comments can be posted.

Windows Vulnerable To 'Token Kidnapping' Attacks

Comments Filter:
  • Fixed the title for you.
  • Just don't connect to a Token Ring LAN! =V

    • I think the problem would be finding a Token Ring LAN to connect to. I can't remember seeing one of those beasts in the last 10 years. Racks of 8228s with connectors that looked like mouths of aliens in a sci-fi flick . . . can't say that I miss them . . .

      • by buanzo (542591)
        You can find token ring all over IBM's building in Buenos Aires. I know. Don't say it.
        • by DWMorse (1816016)
          Ugh. Mayo Clinic still has some, at least it's ethernet and not BNC.
          • by BitZtream (692029)

            BNC is not a networking protocol, its a connector type. Generally attached to coaxial cable.

            Ethernet works over many different cable types and connectors, but it is a set of signalling protocols not a connector or cable type.

            Ethernet can use BNC connectors (connected to coaxial cable), as well as RJ45 connectors (connected to CAT3, 5, or 6 cable) and several other interfaces via AUI and the like. You can even signal ethernet over fibre.

            What you probably meant to say was 'at least its CAT3, not coaxial' as

            • by DWMorse (1816016)

              Nitpicker. Yes, I find myself using terminology interchangeably incorrectly occasionally.

              Granted I've never had to deal hands-on with coaxial data networks, yay. I'm quite happy enough being too young for all that.

            • by Muad'Dave (255648)

              I worked with ethernet back in the days of 10Base5 [wikipedia.org] that used vampire taps [wikipedia.org] that were installed by drilling a freakin' hole into gigantic RG8-like uber-shielded coax that was run straight down the long axis on the building. Users would run these huge AUI cables to the vampire tap to gain access. You could only tap the cable every 2.5 meters, so in a crowded office you'd have loops of coax with piles of taps thrown on top of each other in the drop ceiling. Note that each segment only allowed 100 taps.

              Those wer

      • I read TFS a certauin way, and then searched for exactly your post... here it is!

        "I think the problem would be finding a Tolkien Ring..."

        PRECIOUSSSS!!!

      • by Splab (574204)

        Look in government institutions - I worked as "the IT guy" in 2005-2007 at a university in Denmark, parts of the LAN was still token ring, reason behind that was at some point during upgrade to ethernet, someone decided that the whole building needed to be overhauled, effectively freezing funds for infrastructure.

        Right now they are demolishing it and building a new nice department - only took them something like 12 years from deciding something had to be done to actually do it.

      • by Muad'Dave (255648)

        The only benefit token ring ever really had over ethernet (aside from the 16mb/s vs 10 mb/s signaling speed) was deterministic behavior. When you're doing a full motion cockpit simulator in the late 80's, token ring was the choice. In real-time, deterministic behavior is your friend.

    • by selven (1556643)

      One Ring LAN to rule them all and in the darkness bind them?

  • by omar.sahal (687649) on Saturday July 17, 2010 @06:28PM (#32939466) Homepage Journal

    if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

    So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

    • win 95, usability of GUI
    • win xp, stability of software, less crashes
    • xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
    • windows 7, all the above and smaller foot print when installed
    • by yuhong (1378501)
      This is way too incomplete. For one thing, you forgot NT and 2000.
  • by irrg (1858530)
    After hearing about this exploit, an Apple VP referred to this as "Microsoft's Iphone 4".
    • by bsDaemon (87307)

      You mean that every other operating system has this same bug? Including MacOS X, then. So, no... I doubt it's their iPhone 4. MS also has more experience dealing with stuff like this. Apple is currently experiencing what its like for a pretty girl the first time she gets blown off by some random dude she's attempting to con into doing her a favor.

      • by $RANDOMLUSER (804576) on Saturday July 17, 2010 @06:54PM (#32939636)
        Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.
        • Re: (Score:3, Insightful)

          by bsDaemon (87307)

          See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

          • Re: (Score:3, Funny)

            by $RANDOMLUSER (804576)
            Windows has shown it will let ANYBODY fuck it. Low self-esteem and all.
          • by fractoid (1076465)

            See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases.

            It only takes once if the guy (or other girl OH HO SEE WHAT I DID THERE) is blueberry-waffle enough.

      • Re:Apple replies (Score:4, Insightful)

        by Bengie (1121981) on Saturday July 17, 2010 @07:17PM (#32939782)

        I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

        And some quotes from the above link

        "regularWindows users can’t exploit them"

        "if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

        It's bad, but not *as* horribly bad as the title suggests.

        A properly locked down Windows machine should have been mostly immune to this anyway.

        I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

        • Re: (Score:3, Informative)

          by Kaboom13 (235759)

          Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference

          • by Bert64 (520050)

            Although windows can run services under limited accounts, it is far less common to do so... And i believe more difficult because you have to store a password for the user rather than just being able to setuid() on unix... So some unix services will start as root, and then drop privileges later.

            Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

            • Re: (Score:3, Insightful)

              by Jaime2 (824950)

              Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

              So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.

              • by Bert64 (520050)

                SQL server runs as SYSTEM by default (and even lets dba users execute shell commands), IIS has improved in recent versions largely due to having been so heavily attacked previously.

                • Re: (Score:3, Informative)

                  by Jaime2 (824950)
                  SQL only runs as SYSTEM if you change the service account settings during install (in other words, not by default). Shell commands are not available unless the server is specifically configured for them using the "Surface Area Configuration Tool". Running as SYSTEM by default was fixed fourteen years ago and xp_cmdshell was disabled by default five years ago.

                  IIS improved seven years ago, not recently. Regardless of the reason for improvement, it did improve. IIS 6 and 7 both have excellent security re
        • Re: (Score:3, Informative)

          by drsmithy (35869)

          I still love how *nix naturally allows individual services to run under different users [...]

          There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.

          • Re: (Score:3, Interesting)

            by TheRaven64 (641858)
            You also don't have to go back too far to find a time when the phrase 'UNIX security' had the same sorts of connotations as 'military intelligence'. People who used systems like VMS laughed at it, as a concept. Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS. Security, in most cases, is a usability problem. It's easy to make a secure system. It's hard to make a usable system. It's much harder to make a secure, usable, s
            • Re: (Score:2, Interesting)

              by Rubinstien (6077)

              Thank you for your, as usual, rational observation.

              Unix-derived OS's are only recently gaining proper fine-grained security controls, and most are still hacks, IMHO. Newer Linux has "capabilities" that allows one to mark a binary as allowed to use certain privileges, such as CAP_NET_BIND_SERVICE, but this can't be used with *scripts* due to the fact that it is the *interpreter* that would need the privilege (*bad* idea to always give it to the interpreter). Solaris 10 has user privileges such as net_priv

              • It's worth noting that Symbian actually has quite a nice (i.e. simple enough to actually be used) capability model. Both libraries and executables have a set of capability flags and they interact very nicely with the Symbian driver model. It doesn't quite have a true microkernel, because the drivers are in the kernel, but the drivers are very simple. Most, for example, do not implement multiplexing - they just provide exclusive access to the device to a single userspace program (which has the direct acce

            • by drsmithy (35869)

              Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS.

              How so ?

      • Re: (Score:2, Insightful)

        by Whuffo (1043790)

        Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as usefu

        • Re: (Score:3, Informative)

          Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits.

          ActiveX - ever heard of .xpi? Yeah, that pops up a prompt when you install it; so does ActiveX. And .xpi can contain native code (which many people don't even realize).

          Windows Media does not "download code from the web". It's just a browser plugin, like MPlayer or VLC pugins.

          Unless what you mean is that it can download codecs from the Net from a central repository (after popping up a confirmation dialog) - which e.g. Rhythmbox and Totem also do in Ubuntu, though those go through the centralized package syst

          • by Whuffo (1043790)

            Regarding ActiveX - those object can be marked as "user choice" or "safe" - guess what the bad guys mark them as; newer Windows versions prompt on all of them so this reduces the danger a little bit - but the vast majority of users just hit the OK button when a prompt pops up. And Windows Media - you hit the nail on the head when you pinpointed it's ability to download and run install packages for codecs. But they aren't required to come from a central repository - they can come from the same domain as the

            • by fractoid (1076465)

              [...] and I'll bet you stop and think the next time WMP wants you to install a codec to view / play some media file. It might be a legitimate request - but if it's not, your machine will belong to someone else if you click that OK button.

              And this is where the whole "click OK to continue" approach falls down flat. I don't know who signed Adobe's SSL certificate. I might not even spot the difference between "Unity3D" and "Unity30" if I'm skim reading through the page. The basic fact is that if you ever install *anything* you're taking a leap of faith that what you're actually installing is what you think you're installing. So many times while running Windows, I had to give authorization to install codecs, drivers etc. and found myself thinkin

    • Re:Apple replies (Score:4, Informative)

      by Blink Tag (944716) on Saturday July 17, 2010 @07:09PM (#32939744) Homepage

      Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

      • Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

        Indeed. Although, I would have preferred if they had posted "After hearing about this exploit, an Apple VP referred to this as "Microsoft's Vista ". ;-)

      • by bonch (38532)

        I love that Microsoft is essentially saying, "They suck as much as us!" How the mighty have fallen. Too bad the Vista analogy doesn't work though since people are actually buying the iPhone 4.

      • by Phroon (820247)
        My bad, my humor sensor is broken today. Commented to remove said moderation.
        • by beerbear (1289124)
          I pull my hat in respect. Too many people here don't have the maturity to admit they were wrong.
  • by n0-0p (325773) on Saturday July 17, 2010 @07:04PM (#32939704)

    That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

    So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

    • by toadlife (301863) on Saturday July 17, 2010 @07:30PM (#32939862) Journal

      Worker processes in IIS have impersonation rights, via the "NetworkService" account, so this could be an issue if an vulnerability in IIS or a widely used third party product (like PHP maybe?) on IIS is exploited.

      • Re: (Score:1, Troll)

        by Lehk228 (705449)
        if you run IIS you may as well just post your admin password and social security number on your homepage
        • Re: (Score:1, Insightful)

          by Anonymous Coward
          Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.
        • Re: (Score:2, Informative)

          by Anonymous Coward

          if you run IIS you may as well just post your admin password and social security number on your homepage

          Really? Try a little comparison exercise:
          IIS6: http://secunia.com/advisories/product/1438/ [secunia.com]
          IIS7: http://secunia.com/advisories/product/17543/ [secunia.com]
          Apache 2.2.x: http://secunia.com/advisories/product/9633/ [secunia.com]

          In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19

          • Re: (Score:3, Insightful)

            by TheLink (130905)
            Yeah.

            That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

            Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.
    • Problem is in Windows architecture. Its security subsystem is so complex that it's nearly unusable. You can, in theory, create very flexible security policy using ACLs which can be attached to almost all objects in Windows but in practice nobody uses it. So glaring security bugs can live for years.

      It's almost like SELinux.

      • by linzeal (197905)
        If you are being paid to run a SELinux box, you pry know more than 10 windows admins put together or 4-5 Linux Admins even.
  • optimistic (Score:5, Informative)

    by Twillerror (536681) on Sunday July 18, 2010 @12:16AM (#32940918) Homepage Journal

    Lately the security bugs I've seen are making me feel good.

    Sounds weird I know, but it just seems like they are getting more and more bizarre.

    Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

    Where will be in 5 years...probably in a relatively safe world.

    I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

    When was the last major worm anyways?

    • When was the last major worm anyways?

      Disable all spam filtering your ISP provides, wonder where all the spam is sent from... Blissful ignorance is not improved security

    • > When was the last major worm anyways?

      Microsoft Windows 7 was released in 2009, IIRC. It has reportedly infected over 150 million computers.

  • Old News (Score:2, Insightful)

    by dzr0001 (1053034)
    I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.
    • by dzr0001 (1053034)

      I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

      Ok, so I read the zdnet article and the article does appropriately state that the exploit was discovered in 08. However, the zdnet article linked by OP is also a year old.

  • So they know there is an issue with this but yet there is not another patch being released to fix this?
  • Really all versions? Going all the way back to 1.0, and also including the CE versions? I strongly doubt that! Perhaps it dates all the way back to NT4, but that is still very, very different than affecting all Windows versions.

Facts are stubborn, but statistics are more pliable.

Working...