IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Win32 message service
No, I'm not talking about the messaging that pops up spamming all kinds of crap - if any app can get access to the Win32 message queue, it can send a message to any other app on the machine pretending it is any app on the machine, with any priority level.

Getting access to the Win32 message queue is as simple as running Win32 code natively on the computer, even as guest. I think you can figure out the rest.
The most exciting phrase to hear in science, the one that heralds the most discoveries, is not "Eureka!" but "That's funny..."
-Isaac Asimov
New If you're not an admin, you don't have
anything on your desktop that can do much damage. Also, I thihk that message queues are somehow protected - I don't remember the details.

The main vulnerable point seems to be that you have to be an admin to do anything useful...
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Nope. I have a machine at work.
This user is the Bossman/Owner.

I had to rebuild his machine from scratch recently. He never installs anything but browses... ummm websites that are full of Pictures.

This was the second time I rebuilt it. First time he was a local machine admin. After the rebuild I asked him to have me install anything that needed installing. Sure enough, I was very careful. I had local policies lock-down so tight at one point he couldn't even run IE. We worked it out to a very acceptable set of local policies. He could not install, or do anything harmful to the computer. Not even change the desktop mode, workstation only login was disabled, the Administrator user was pretty much disabled on the machine.

He did login to my Samba Domain, and in his personal login script... I force a check of sizes and e-mail them to me everytime he logs in.

This last time, 4200+ identified problems. It happened in one day. I got a message ~1PM from the log watcher stating he had logged in. I found Shiite loads of changes files. Plus additional files that should never have been able to get there where they were. This was Post SP2 and hot-fixes available on Feb 28th. Literally everything was up to date, Virus, a coupla of sweepers, file activity monitors... tons of precautionary things.

He explained he went to one of his "usual" sites and the machine literally just slowed to a crawl. Lucky for me, there are no outbound connections allowed from his machine. He was using a proxy. Specifically configured DHCP to give him a certain address.

Woo.

Now tell me Ark, how did this happen? How did a NON-Admin, Non-Operator, Non-anything, except straight user with runas turned off, service starting or stopping impossible as him... the message queue was used, new files in system areas he had zero rights to modify, delete or add anything to these areas. And make changes to the Registry in protected areas, not normally USER writable anyway, but for sure only READ ONLY to him.

How, did this happen? Hmmm. He wasn't admin, nothing bigger than a lowly user. And actually tightened down quite significantly.

Explain that.



I usually don't talk about this crap, mainly because I get Pissed about having to fix it.

And, on a properly maintained *NIX system, The worst that can happen is your own data gets blown up, erased, removed. That is what backups are for.

There is no common sense way to admin a Windows machine (or group of machines) that has any access to the Internet with a browser and Lookout as an e-mail client. It is all watch and wait for the problems to start.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New I don't know :(
For a non-admin user to change admin-only writable files requires a (probably local) root exploit. Windows has those (did you manage to figure out which exactly was used?). But so does Unix. Just a few months ago, one of our regulars got owned - don't remember who. Our Linux firewall at work got owned once. Shit happens. And if you have lusers who go around nosing in obviously dangerous environments, shit happens more often.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New I don't agree with your assessment.
It was not a local root exploit. No escalation of privs. Not any other external service associated with SAMBA or Windows.

an ActiveX cmd prompt was involved. But it self deleted after wards. But during the seconds it spawns more than 4 processes. The processes execute even before the GDI gets going. IOW, during the Nice neat boot screen they start. It is evident, the scrolling nearly stalls.

I ended up having to use PV to even see what was running. When I sat down at his machine I found nearly 50 processes trying to get out.

I went to the Firewall logs... sure enough. More than 100 attempts per second. Glad I used the MAC address to block from.

The whole reason it was able to change things was the pre-execution it was able to shim in, using a CMD prompt.

Sure shit happens, but come on, how often is the ownage you speak of due to lack of maintenance.

Same as windows, But Ironclad lack of privs in Windows is not the same as Ironclad lack of privs in *NIX.

I have had exploits to try and run using Mod_Perl, PHP, etc... and it always comes down to a proper reduction in exploitable services (hint hint, windows has by default 5 services you cannot reduce to localhost only) and containment of privs. If you take care of that, in *NIX you can be relatively restful at night. There is really no such thing as containment of privs and hence no restful sleep at night.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New That I don't understand
Even an ActiveX control runnning as a user cannot write to registry where that user does not have writing permissions. Nor can it write to directories where that user has writing permissions. Much like Gnome, everything on Windows desktop is running as one user, the one that logged in. There must have been some privildge escalation...
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New That's where messaging comes in.
There IS no security on the Win32 message system.

Seriously.

People have been crowing about it for some time. Practical exploitation of it is difficult, but doable.
The most exciting phrase to hear in science, the one that heralds the most discoveries, is not "Eureka!" but "That's funny..."
-Isaac Asimov
New Not like Windows...
The GUI in Windows IS NOT, I repeat IS NOT running as the user.

It is running in Ring-0 of the Windows Kernel. That means Direct access to hardware and direct ability to manipulate these programmatically.

The GNOME Desktop Environment is NOT the GUI. The DE rides on top of the GUI. Windows has no distinction between GUI and Desktop Environment.

Windows provides the Integration through the GUI that is running in Ring-0 of the "supposed to be" protect core of the OS Kernel. Therefore, integration with the GUI and said service in Windows... allows for problems due to lack of proper seperation of privs in a system.

GNOME on the other hand, is a process that uses the abstraction layer of the GUI, which in turn uses the Abstraction Layer of the OS to communicate to the Hardware. Please understand, when I say Abstraction Layer you understand the meaning I use. I use it as "Logical connection to" or Pseudo-Physical Break in chain. Can't really have a physical break in a there, so you have to imagine it. It is real, and functional.

Example common things in these two examples: We have monitor, keyboard, mouse, Hard disk drive, memory, processor, CD/DVD Writer, Motherboard chipsets, video card, network interface card, sound card. All of these are the addressable items.

Windows example:
Windows, as an OS has to manage all of these devices. How Microsoft decided to address the speed problems in Windows NTv4.0 (server/workstation) (not to worry, Win95 had a hand in the decision), They took the tried and true design of v3.51 and took out the abstraction layers between the different Kernel Layers in Windows Kernel. They also decided to allow integration to become embedded into said rings without restraints.

There are a few "services" (5 to be coy) which cannot be contained within a sandbox. Why? because it would force Microsoft to change the Developmental process in place since before Windows NT4 actually was released. Also, do you remember Service Pack 3 for Windows NT4? That was an attempt to put some of the restriction back in place, after the horse was already in the field.

Okay, hoping you understand this, shall we proceed?

Okay, given that there are basically non-existant abstraction layers in Windows, that means the GUI has no problem directly addressing the Graphics card... ever heard of DirectX? It isn't named that for shits and grins. If the GUI has direct access to the graphics device, what is to prevent it from addressing the Sound Card... oh wait... Directsound... Well, okay, then why for not the Hard Drive hmmm looks like Directmedia has already beat me to it. Microsoft has turned the bad design of Ringless Broke non-ring design Kernel structure into a Marketing Force.

This then presents many options to the average ActiveX cracker/assailant. ActiveX, Windows Scripting using Direct access methods. Let us take Internet Explorer. It has been proven that IE is the most insecure Product being used for web-browsing. Even with SP2+hot-patches.(let us not forget we now get them 1 month later than we used to). There are certain things that cause people grief in Internet Explorer. To many questions and no ability to run javascript/java/flash/etc. Even opening up Internet explorer a little bit is so fo like a 2 state-flood-gate. 0 the flood gate is closed, 1 the flood gate is open. But, Microsoft has put flow restrictions, though useless once one piece gets by, to try and stem the problems. They don't work. IE even with tons of infection protection, virus stomping, malware watcher... ad-infinitum is going to get smacked up pretty good sooner or later. (probably sooner than later).

Now, since we are on Windows, we need to touch on Outlook express. By default Outlook *NOW* comes with opening of attachments off. Here we go with the 2 state Flood gate thinger. Either it is Closed and causes tons of irritation by not being able to save or open attachemnts, or you get the wholw ball of wax, though with restrictions again, which again useless. Since Outlook uses IE services and other things internall it could be seen as just a glamorous Internet Explorer. Since These service being used by outlook are provided by IE and IE is fully integrated into the OS... there we go, direct access to the hardware again... and to any file on the hardware. Crackers just have to tell which service to properly work with the stuff in the payload. Still the Win32 Messaging is just a plain socket... well let us open a CMD prompt and execute a little startup script which place a winint command message in the queue. The also extracts the deliverable and cleans itself up while spawning a ka-jillion processes to hind your work really going on. Causing the user to reboot... which then on reboot, my winint command gets processed before GDI and lo and behold... the cracker has another potential zombie to work with or mail-realy or something.

This can happen pretty much with ANY program the runs on Windows. As long as these services are available, and tricky programmers understand the common machine layout of Windows... it is trivial.

Now, onto the GNOME Desktop Environment Machine:
GNOME is a desktop environment, that runs as the user, all services and processes controlled by the GNOME DE is running as the privs of the Normal user on a unix system. The Desktop Environment is seperated in privs by and abstraction layer or API/ABI designed to only do what the GUI is supposed to do. The GUI, then has to make decisions on what to do, then it makes calls to the OS through another Abstraction Layer or API/ABI interface that once again only allows restricted commands to be forwarded to the OS. The OS then is what allows the driver filter to message a file (or device file commonly referred to as a device node), with the commands never reaching Ring-0. Never having direct access, never being able to change the command in-stream or through a stack corruption (well it does happen but far, far, far less than it could).

Now, let us just take a look at the integration offered by GNOME. It has many benefits, many of which do exactly the same function Windows does, but without the risk. Why do I say risk? Because, the machine no matter HOW bad you are screwed in your environment... is still completely functional, completely usable by someone else that has an account on it, etc... Services still are running as they should without issues. The only thing that is LOST IS YOUR DATA YOU HAVE RIGHTS TO. If you do not have backups... well you are SOL.

Before you bring it up: "How am I supposed to start working again then?" Well two options, since you have zero data in your $HOMEDIR, GNOME will auto populate your $HOMEDIR with a fresh set of settings. BASH will auto-write a coupla default files for you. From there it is all a matter of rebuilding. But the machine is still running without having to be re-built from scratch or hours and hours of compiling or etc... If you have a restorabl backup. Shoot, slap that baby in there, and login.

As far as Integration goes, GNOME has many easily settable default applications you can customize and/or select from your installed distros settings. Of course, those distro that have the average user run as root... are just asking for trouble.


I hope this helps you understand. And please I hope you are being intentionally obtuse.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New It was quite helpful
And yes, I was _partly_ being intentionally obtuse. But, I still can't believe what you're saying. Are you saying that the DirectX APIs bypass all the security and let you have raw disk access?

Update: checked DirectX docs - no mention of direct access to disk. Is it an undocumented backdoor?
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

Expand Edited by Arkadiy March 15, 2005, 05:05:47 PM EST
New It isn't documneted the way you'd think.
Direct Media can use the alternative Streams of NTFS.

Umm, that would be direct DISK access.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New Well, the only things that grant access to file system
(that I found in the docs) are IFileSourceFilter, IFileSinkFilter and IFileSinkFIlter2.

All of them take a filename. I did not test it, but I doubt that the access control on the file name is bypassed by any of these interfaces.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Then how do you explain the fact that it happens?
Without escalation of Privs?

And, the fact of the matter... not that they by-pass them, are they even checked? By assumption or by method something has to be getting around it.

And the Local Policy over rides the others. So if the Citrix thinger you and andread are talking about, it doesn't amtter what DS groups memberships. It ain't supposed to be able to do that. But does.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Expand Edited by folkert March 16, 2005, 11:35:43 AM EST
New I have no explanation that I am sure of.
I think you don't either.

My guess is a security hole, a bug.

Your guess is an inherent deficiency of architecture.

Neither of us is in a position to prove our guesses. You are in a somewhat better position to investigate - you actually have logs and what not from your co-worker's breakage. But, unless you understand _exactly_ how the malware gained access to the protected areas of the system, we still don't know for sure.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Thank you. (new thread)
Created as new thread #199000 titled [link|/forums/render/content/show?contentid=199000|Thank you.]
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New Re: That I don't understand
I used to think that
but in my Citrix farm all users are members of
a special group
that group has no registry writing permission
and the program files folder has security set
to prohibit the users from writng to it

result

the registry is changed all the time
spyware and other junk are installed in program files

job security for me

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
New Are they members of other groups?
Could the permissions be granted by those memberships?
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Domain Users
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
New There is a way.
Simple example: use at to open a cmd prompt. You'll be surprised at what that prompt has access to. (hint: it's *more* than Administrator.) Disclaimer: I have not tested this as a pleb.

I saw this some months ago as a way to modify some certain Registry Keys in the locals Users area* that even Administrator can't even see, let alone change. Windows security is just so complex and poorly documented...**

Wade.

* not the local user's area, the local users area.
** to which I suspect people are going to disagree. :-)

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.

New It's LocalSystem
And yes, it's more than Administrator, on local machine.
I could not find an easy way to disable it, apart from disabling the schedule service. What a sordid mess! It should run as the user that scheduled the action, not as LocalSystem.

--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

     Undetectable VX2!!!!!! - (Andrew Grygus) - (39)
         Maybe because it isn't the traditional one? - (folkert) - (3)
             This one was real VX2 . . - (Andrew Grygus) - (2)
                 Is there even room to fit one more nail? ;-) -NT - (n3jja) - (1)
                     Depends on how many infections a given machine has. -NT - (ben_tilly)
         Re: Undetectable VX2!!!!!! - (andread) - (3)
             Of course. -NT - (Andrew Grygus) - (2)
                 Yeap, just like that. - (folkert) - (1)
                     My root post for this thread did refer to . . - (Andrew Grygus)
         Assuming that I am a complete dolt, - (Arkadiy) - (29)
             Rootkit worms for windows abound - (jake123)
             Well, just for starters . . - (Andrew Grygus) - (8)
                 Apart from the first point - (Arkadiy) - (7)
                     Let's see, point #3 - (jake123) - (5)
                         Sounds like the OS/2 WPS (ducks, runs) -NT - (altmann) - (2)
                             Nah, Office has users. - (pwhysall)
                             :) - (jake123)
                         Sounds like Gnome - (Arkadiy) - (1)
                             No, another disagreement here. - (folkert)
                     On our network... - (Steven A S)
             Win32 message service - (inthane-chan) - (18)
                 If you're not an admin, you don't have - (Arkadiy) - (17)
                     Nope. I have a machine at work. - (folkert) - (16)
                         I don't know :( - (Arkadiy) - (13)
                             I don't agree with your assessment. - (folkert) - (12)
                                 That I don't understand - (Arkadiy) - (11)
                                     That's where messaging comes in. - (inthane-chan)
                                     Not like Windows... - (folkert) - (6)
                                         It was quite helpful - (Arkadiy) - (5)
                                             It isn't documneted the way you'd think. - (folkert) - (4)
                                                 Well, the only things that grant access to file system - (Arkadiy) - (3)
                                                     Then how do you explain the fact that it happens? - (folkert) - (2)
                                                         I have no explanation that I am sure of. - (Arkadiy) - (1)
                                                             Thank you. (new thread) - (folkert)
                                     Re: That I don't understand - (andread) - (2)
                                         Are they members of other groups? - (Arkadiy) - (1)
                                             Domain Users -NT - (andread)
                         There is a way. - (static) - (1)
                             It's LocalSystem - (Arkadiy)
         VX2 on 2 servers - (andread)

Where's web cam sex show Barbie?
99 ms