So, you guys don't think it's an issue that power management in Vista (apparently) has a pass to bypass local security policy? -- Abe Getchell me@xxxxxxxxxxxxxxx https://abegetchell.com/ > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Saturday, July 19, 2008 6:20 PM > To: me@xxxxxxxxxxxxxxx; Jim Harrison; bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Windows Vista Power Management & Local Security Policy > > If Jim is going to get Nancy to run a program, and that's "not all that > hard," then why not just have that program do what you want in the > first > place rather than worrying about the power switch nonsense? This is > the > one million and fourth time: "If your 'vulnerability' begins with 'if > I > can get the user to run code' then whatever comes after the 'then' > doesn't matter. Period." > > t > > > > > -----Original Message----- > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] > > Sent: Saturday, July 19, 2008 12:33 AM > > To: 'Jim Harrison'; bugtraq@xxxxxxxxxxxxxxxxx > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > As stated in my original e-mail to the list, I definitely don't think > > that > > this is a security vulnerability in a traditional sense. I completely > > agree > > with you. Think about it this way... When you press the power button > on > > the > > machine and it performs a graceful shutdown, stuff happens inside of > > the > > operating system. That stuff happens at an elevated privilege level. > If > > there were some way to hook into the stuff that happens, you (as an > > unauthenticated user), could do bad things (besides simply shutting > > down the > > system) using that hook simply by pressing the power button at the > > logon > > screen. For example, if Jim wants to know what Nancy is working on, > he > > could > > write a program which e-mails him the contents of her "My Documents" > > folder > > that is triggered by a hook into that process. All Jim needs to do is > > get > > Nancy to run that program on her system (not hard) and walk by her > > office > > when she's not there and hit the power button (also not hard). So > what > > can > > _I_ do with this bug? Not much, I'm not that great of a programmer... > > but I > > think someone out there could do some nasty stuff. > > > > -- > > Abe Getchell > > me@xxxxxxxxxxxxxxx > > https://abegetchell.com/ > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Saturday, July 19, 2008 1:36 AM > > > To: 'me@xxxxxxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx > > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > > > Abe, > > > > > > Other than a denial-of-service from the console (is the power > switch > > > now a security vuln, too?), what can you do with this bug? It's > > > absolutely, unquestionably a "bug"; the user should see behavior as > > > dictated by logic and described in the documentation, but a > "security > > > vulnerability"? > > > > > > I think that's stretching things juuuuuust a bit. > > > > > > Jim > > > > > > -----Original Message----- > > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] > > > Sent: Thursday, July 17, 2008 7:39 PM > > > To: bugtraq@xxxxxxxxxxxxxxxxx > > > Subject: Windows Vista Power Management & Local Security Policy > > > > > > When the security option "Shutdown: Allow system to be shutdown > > without > > > having to log on" (in the local security policy) is set to > "Disable", > > > and > > > the power management setting "When I press the power button" is set > > to > > > "Shut > > > Down", it is possible for an unauthenticated user to press the > power > > > button > > > at the Windows logon screen and gracefully shutdown the system. The > > > explanation of this security option, taken from the local security > > > policy, > > > is as follows: > > > > > > "Shutdown: Allow system to be shut down without having to log on > > > > > > This security setting determines whether a computer can be shut > down > > > without > > > having to log on to Windows. > > > > > > When this policy is enabled, the Shut Down command is available on > > the > > > Windows logon screen. > > > > > > When this policy is disabled, the option to shut down the computer > > does > > > not > > > appear on the Windows logon screen. In this case, *users must be > able > > > to log > > > on to the computer successfully and have the Shut down the system > > user > > > right > > > before they can perform a system shutdown*. > > > > > > Default on workstations: Enabled. > > > Default on servers: Disabled." > > > > > > Note the text between the asterisks. While this bug isn't > necessarily > > a > > > software flaw allowing for an intrusion into the system in a > > > traditional > > > sense, it does set a bad precedence in that power management has a > > free > > > pass > > > to bypass local security policy and perform actions expressly > against > > > the > > > defined policy. It appears that the only impact the use of this > > > security > > > option actually has is enabling or disabling the display of the > > "power > > > button" on the Windows logon screen (locally only - this setting > has > > no > > > affect on remote desktop connections - the "power button" is not > > > displayed > > > in either case), not actually preventing anyone from (gracefully) > > > shutting > > > down the system without logging in. > > > > > > I reported this to the MSRC on 6/25/2008 and their stance was that > > this > > > wasn't a security vulnerability, but was likely a bug, and was > passed > > > directly to the product team to investigate through their normal > bug > > > triage > > > process. After some back and forth, there was silence, and I let > them > > > know I > > > was going to release this information to the community. > > > > > > This was tested on Windows Vista SP1 (32-bit). > > > > > > -- > > > Abe Getchell > > > me@xxxxxxxxxxxxxxx > > > https://abegetchell.com/ > > > > > > > >
