Vista Exploit Surfaces on Russian Hacker Site

[nit123456]

ORIGINAL POST AT HEREProof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows?including Vista?has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process.

Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is ?closely monitoring? the public posting, which first appeared on a Russian language forum on Dec. 15. It affects ?csrss.exe,? which is the main executable for the Microsoft Client/Server Runtime Server.

According to an alert cross-posted to security mailing lists, the vulnerability is caused by a memory corruption when certain strings are sent through the MessageBox API.

?The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems,? Reavey said in an entry posted late Dec. 21 on the ****** blog.

?Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft?s customers,? Reavey added.

?While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date,? he added.

The ****** is expected to issue a formal security advisory with pre-patch workarounds. In the interim, the company is urging customers to enable a firewall, apply all security updates and install anti-virus and anti-spyware protection.

To date, there are no reports of actual attacks against Windows users.

The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop.

 

[masteraleph]

Originally posted by: nit123456

?Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system.

Let's put it this way- if a hacker has physical access and an account on your system, you're already screwed.

 

[drag]

Well ya. It's a local privilage exploit so that means that the attacker already has to have access to your machine to have it work.

But that doesn't mean physical access.

What this ultimately means is that if this is unpatched then a malicious program such as a worm or virus that a person in a restricted account runs would be able to gain admin privilages. (if I read it correctly)

In Linux this is called a 'local root exploit'. It's something that you have to watch out for in multiuser operating systems and is a common problem.

Remember that hackers aren't going to spend more energy hacking a machine then is nessicarially required to 'own' it. With Windows XP local root exploits were pointless mostly since everybody ran as admin anyways. If in Vista it uses restricted accounts (and people stick with it) by default then you can expect to see this sort of thing more often.

but right now this paticular report is pretty irrelevent. Nobody is actually using Vista for anything important yet and I am sure that a patch is already aviable, if not then it's on it's way.

 

[bsobel]

This is a two week old issue, well reported and effects not just Vista. So, what was your point of bringing it up now?

 

[greylica]

Crossed F.U.D. ?

 

[drag]

Originally posted by: greylica
Crossed F.U.D. ?

Ya sure.

but before you get all excited be sure to go to a place like secunia.com and see the rate of local privilage elevation exploits that happen in Linux and other operating systems. This sort of thing is the cause of a lot of what the problems you see. (that and information disclosure.)

It's also why it's worth it to be religiously carefull about 'sudo' and setting applications to run with 'setuid 0' privilages.

 

[Slackware]

Originally posted by: bsobel
This is a two week old issue, well reported and effects not just Vista. So, what was your point of bringing it up now?

You know, not everyone is up to date on things all of the time, you seem a bit defensive when it comes to Vista, you should relax.

Vista's security policy isn't anything but constant popups though, and seriously, that is as safe as clicking yes only once, you can call me when you have to type out the root passowrd to use root priveliges.

THEN, Vista will have what Linux has had since i started.

 

[bsobel]

Originally posted by: Slackware

Originally posted by: bsobel
This is a two week old issue, well reported and effects not just Vista. So, what was your point of bringing it up now?

You know, not everyone is up to date on things all of the time, you seem a bit defensive when it comes to Vista, you should relax.

Vista's security policy isn't anything but constant popups though, and seriously, that is as safe as clicking yes only once, you can call me when you have to type out the root passowrd to use root priveliges.

THEN, Vista will have what Linux has had since i started.

Sure seems to be a lot of newbies looking to spread FUD....

 

[Nothinman]

Vista's security policy isn't anything but constant popups though, and seriously, that is as safe as clicking yes only once, you can call me when you have to type out the root passowrd to use root priveliges.

Actually the desktop oriented distros like Ubuntu seem to be taking the opposite approach, root is disabled with no password and everything is done via sudo which requires your password and not the root account's password.

 

[fyleow]

..

 

[Slackware]

Originally posted by: bsobel

Originally posted by: Slackware

Originally posted by: bsobel
This is a two week old issue, well reported and effects not just Vista. So, what was your point of bringing it up now?

You know, not everyone is up to date on things all of the time, you seem a bit defensive when it comes to Vista, you should relax.

Vista's security policy isn't anything but constant popups though, and seriously, that is as safe as clicking yes only once, you can call me when you have to type out the root passowrd to use root priveliges.

THEN, Vista will have what Linux has had since i started.

Sure seems to be a lot of newbies looking to spread FUD....

I do realize that you just answered that out of getting tired to answer everything else, but i would urge you to reread it.

Administrative rights in a popup that will appear now and then without the user knowing why or what it does and the only alternative is clicking yes or no will lead to a user clicking yes to pretty much everything, even on websites.

HOW, ecactly in your own words would the above be FUD?

Or do you just type "FUD" when you are to tired to reply, i don't really blame you for that, but try to read the messages or don't respond, it's how that works.

 

[Slackware]

Originally posted by: Nothinman

Vista's security policy isn't anything but constant popups though, and seriously, that is as safe as clicking yes only once, you can call me when you have to type out the root passowrd to use root priveliges.

Actually the desktop oriented distros like Ubuntu seem to be taking the opposite approach, root is disabled with no password and everything is done via sudo which requires your password and not the root account's password.

Yet all that requires is access to the command and ANY users password, i don't see that as being more secure.

Of course, a default installation is very secure, no firewall but then again, no servers running outwards.

 

[fyleow]

..

 

[Slackware]

Originally posted by: fyleow

you can call me when you have to type out the root passowrd to use root priveliges.

THEN, Vista will have what Linux has had since i started.

Ring ring. Vista calling.

Ring ring, vista called me back, logged in as a user, or a silent process user or a worm does not require root password, just an automated process of clicking ok at the sign.

No, Vista does not require a password for admin priveliges, it really soes not require shiat excetpt a local account and that can be accessed from anywhere and you still only have to click yes.

 

[Nothinman]

Yet all that requires is access to the command and ANY users password, i don't see that as being more secure.

I can't tell if you're talking about the default Ubuntu setup or that of Vista. But on Vista the UAC prompts don't require a password at all, just a confirmation but for that to work the user has to be in the administrators group. And Ubuntu is similar in that users have to be in the admin group for sudo to work for them.

 

[Nothinman]

Ring ring, vista called me back, logged in as a user, or a silent process user or a worm does not require root password, just an automated process of clicking ok at the sign.

Have you actually tried that? Supposedly the UAC prompts are presented from another desktop, the switch to that desktop is visually queued by the dimming effect you see when the prompt comes up, so nothing running under the user's account should be able to manipulate the UAC prompt.

 

[Slackware]

Originally posted by: fyleow

HOW, ecactly in your own words would the above be FUD?

Because when you run in standard user mode you will have to type in a password for things that require administrative rights. It is not just clicking yes or no.

Well, i'm running Vista here, so i go to the control panel to add a user, now i have to click yes or no, twice, but i do not have to type in no password for anything except the new user.

That is about the most dangerous thing you can do to a system and it does NOT require an admin password to do it.

In fact except for setting the root password i have not even used that password for the three weeks i've been playing with that box.

I'm running Vista Ultimate, 5480 RTM with updates i haven't kept track of since it's a localized install.

But you get my point surely...

The rest of you vista users, do you get a box every time where you have to type in the admin password?

 

[Slackware]

Originally posted by: Nothinman

Yet all that requires is access to the command and ANY users password, i don't see that as being more secure.

I can't tell if you're talking about the default Ubuntu setup or that of Vista. But on Vista the UAC prompts don't require a password at all, just a confirmation but for that to work the user has to be in the administrators group. And Ubuntu is similar in that users have to be in the admin group for sudo to work for them.

All users created during setup are admins in both cases and figuring out their passwords can be done fairly easily, but i was talking about Ubuntu when i wrote that, UAV is supposedly a bit harder to crack (not really).

 

[fyleow]

..

 

[Slackware]

Originally posted by: Nothinman

Ring ring, vista called me back, logged in as a user, or a silent process user or a worm does not require root password, just an automated process of clicking ok at the sign.

Have you actually tried that? Supposedly the UAC prompts are presented from another desktop, the switch to that desktop is visually queued by the dimming effect you see when the prompt comes up, so nothing running under the user's account should be able to manipulate the UAC prompt.

I will surely regret telling eveyone and the world this but the grayed out screen is no different from how it works in KDE, it's just a system wait call, nothing special, you will notice it plenty of times if an application is prone to hanging, and with that you get how worthless it is as as a "feature" to "alarm" the user. Besides, remote desktop acknowledgement does the same thing, now if that isn't to fool the user (especially since the remote control does not neccessarily control the current desktop but can still se it and feed information to it.

Vista has this functionality and Stash and Smiley will agree on this, you can take over one desktop and leave the user with another and he will not know anything about what you are doing if he isn't monitoring IO with third party tools.

 

[fyleow]

..

 

[Slackware]

Originally posted by: fyleow

Originally posted by: Slackware

Originally posted by: fyleow

HOW, ecactly in your own words would the above be FUD?

Because when you run in standard user mode you will have to type in a password for things that require administrative rights. It is not just clicking yes or no.

Well, i'm running Vista here, so i go to the control panel to add a user, now i have to click yes or no, twice, but i do not have to type in no password for anything except the new user.

That is about the most dangerous thing you can do to a system and it does NOT require an admin password to do it.

In fact except for setting the root password i have not even used that password for the three weeks i've been playing with that box.

I'm running Vista Ultimate, 5480 RTM with updates i haven't kept track of since it's a localized install.

But you get my point surely...

The rest of you vista users, do you get a box every time where you have to type in the admin password?

That's because you're running on an administrator account. With a standard user account the UAC prompts will require a password to be entered.

No i am NOT running an administrator account, you haven't ever used vista, have you?

As a single user on a vista Machine (which is how 99.5 will be run) you get one administrator account and another user account where you click yes or no on all actions.

You can create users from there, as well as you can do the same on any version of NT, but you don't.

 

[Slackware]

Originally posted by: fyleow

a silent process user or a worm does not require root password, just an automated process of clicking ok at the sign.

User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost.

Still it will require a yes or a no, from a user or a worm choosing yes (or if a worm being very nice, choocing no)

It's nothing, it's a bit more than doing it without a popup to choose, but not even a worm will need to choose yes, people do that just becuase they are used to hitting yes, in fact, a whole lotta malware will be installed because of this, you o to a website, hitting yes is natural so you just do that, and then when the system is warning you you don't thinkt twice, you just hit yes again.

This could ultimately prove to be the worst security feature ever invented.

 

[bsobel]

No i am NOT running an administrator account, you haven't ever used vista, have you?

Im not sure what behaviour you are seeing, but UAC will ask the yes/no if your an admin account running in reducded privledge mode. If your a 'normal' account you get a popup listing the admin accounts on the machine and have to select one and enter the password.

(Actually with the MS fingerprint readers its fairly cool as they will authent as well, so when my daughter does somethign that requires admin I just walk over and touch the fingerprint reader, it integrates GREAT and is a heck of a lot easier than constantly enter the admin pw).

 

[fyleow]

..