I understand all of that, which is precisely the reason I put it out there. The example I put forth might have been a bad one (given that it relies on an additional piece of code to be installed on a target machine), but there's probably more to this issue than I can deduce. I'll let those more versed in that area of security figure it out. As a side note, check out some of the conversations on the Linux Kernel mailing list about power management and security. Interesting stuff. -- Abe Getchell me@xxxxxxxxxxxxxxx https://abegetchell.com/ > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Sunday, July 20, 2008 4:33 PM > To: 'me@xxxxxxxxxxxxxxx'; 'Thor (Hammer of God)'; 'Johan Beisser' > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Windows Vista Power Management & Local Security Policy > > It's about reality & priorities. > > What we're both saying is: > 1. it's a bug and should be fixed in accordance with its impact on real > (not imagined) functionality & security > 2. unless this provides some exploit that doesn't start with "if I can > install software on the host", it's not more than "a bug in a security > mechanism" > > If someone can demonstrate an actual vulnerability or exploit on the > basis of this bug _alone_, then they may have something to make noise > about. There are enough real bugs and security vulns in software to > deal with. Not every security issue spells doom and damnation or > warrants immediate corrective response from the vendor. > > Jim > > -----Original Message----- > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] > Sent: Sunday, July 20, 2008 12:32 PM > To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser' > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Windows Vista Power Management & Local Security Policy > > So, you guys don't think it's an issue that power management in Vista > (apparently) has a pass to bypass local security policy? > > -- > Abe Getchell > me@xxxxxxxxxxxxxxx > https://abegetchell.com/ > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Saturday, July 19, 2008 6:20 PM > > To: me@xxxxxxxxxxxxxxx; Jim Harrison; bugtraq@xxxxxxxxxxxxxxxxx > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > If Jim is going to get Nancy to run a program, and that's "not all > that > > hard," then why not just have that program do what you want in the > > first > > place rather than worrying about the power switch nonsense? This is > > the > > one million and fourth time: "If your 'vulnerability' begins with > 'if > > I > > can get the user to run code' then whatever comes after the 'then' > > doesn't matter. Period." > > > > t > > > > > > > > > -----Original Message----- > > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] > > > Sent: Saturday, July 19, 2008 12:33 AM > > > To: 'Jim Harrison'; bugtraq@xxxxxxxxxxxxxxxxx > > > Subject: RE: Windows Vista Power Management & Local Security Policy > > > > > > As stated in my original e-mail to the list, I definitely don't > think > > > that > > > this is a security vulnerability in a traditional sense. I > completely > > > agree > > > with you. Think about it this way... When you press the power > button > > on > > > the > > > machine and it performs a graceful shutdown, stuff happens inside > of > > > the > > > operating system. That stuff happens at an elevated privilege > level. > > If > > > there were some way to hook into the stuff that happens, you (as an > > > unauthenticated user), could do bad things (besides simply shutting > > > down the > > > system) using that hook simply by pressing the power button at the > > > logon > > > screen. For example, if Jim wants to know what Nancy is working on, > > he > > > could > > > write a program which e-mails him the contents of her "My > Documents" > > > folder > > > that is triggered by a hook into that process. All Jim needs to do > is > > > get > > > Nancy to run that program on her system (not hard) and walk by her > > > office > > > when she's not there and hit the power button (also not hard). So > > what > > > can > > > _I_ do with this bug? Not much, I'm not that great of a > programmer... > > > but I > > > think someone out there could do some nasty stuff. > > > > > > -- > > > Abe Getchell > > > me@xxxxxxxxxxxxxxx > > > https://abegetchell.com/ > > > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Saturday, July 19, 2008 1:36 AM > > > > To: 'me@xxxxxxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx > > > > Subject: RE: Windows Vista Power Management & Local Security > Policy > > > > > > > > Abe, > > > > > > > > Other than a denial-of-service from the console (is the power > > switch > > > > now a security vuln, too?), what can you do with this bug? It's > > > > absolutely, unquestionably a "bug"; the user should see behavior > as > > > > dictated by logic and described in the documentation, but a > > "security > > > > vulnerability"? > > > > > > > > I think that's stretching things juuuuuust a bit. > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] > > > > Sent: Thursday, July 17, 2008 7:39 PM > > > > To: bugtraq@xxxxxxxxxxxxxxxxx > > > > Subject: Windows Vista Power Management & Local Security Policy > > > > > > > > When the security option "Shutdown: Allow system to be shutdown > > > without > > > > having to log on" (in the local security policy) is set to > > "Disable", > > > > and > > > > the power management setting "When I press the power button" is > set > > > to > > > > "Shut > > > > Down", it is possible for an unauthenticated user to press the > > power > > > > button > > > > at the Windows logon screen and gracefully shutdown the system. > The > > > > explanation of this security option, taken from the local > security > > > > policy, > > > > is as follows: > > > > > > > > "Shutdown: Allow system to be shut down without having to log on > > > > > > > > This security setting determines whether a computer can be shut > > down > > > > without > > > > having to log on to Windows. > > > > > > > > When this policy is enabled, the Shut Down command is available > on > > > the > > > > Windows logon screen. > > > > > > > > When this policy is disabled, the option to shut down the > computer > > > does > > > > not > > > > appear on the Windows logon screen. In this case, *users must be > > able > > > > to log > > > > on to the computer successfully and have the Shut down the system > > > user > > > > right > > > > before they can perform a system shutdown*. > > > > > > > > Default on workstations: Enabled. > > > > Default on servers: Disabled." > > > > > > > > Note the text between the asterisks. While this bug isn't > > necessarily > > > a > > > > software flaw allowing for an intrusion into the system in a > > > > traditional > > > > sense, it does set a bad precedence in that power management has > a > > > free > > > > pass > > > > to bypass local security policy and perform actions expressly > > against > > > > the > > > > defined policy. It appears that the only impact the use of this > > > > security > > > > option actually has is enabling or disabling the display of the > > > "power > > > > button" on the Windows logon screen (locally only - this setting > > has > > > no > > > > affect on remote desktop connections - the "power button" is not > > > > displayed > > > > in either case), not actually preventing anyone from (gracefully) > > > > shutting > > > > down the system without logging in. > > > > > > > > I reported this to the MSRC on 6/25/2008 and their stance was > that > > > this > > > > wasn't a security vulnerability, but was likely a bug, and was > > passed > > > > directly to the product team to investigate through their normal > > bug > > > > triage > > > > process. After some back and forth, there was silence, and I let > > them > > > > know I > > > > was going to release this information to the community. > > > > > > > > This was tested on Windows Vista SP1 (32-bit). > > > > > > > > -- > > > > Abe Getchell > > > > me@xxxxxxxxxxxxxxx > > > > https://abegetchell.com/ > > > > > > > > > > > > >
