Hi Andrew,
As you might not be aware, there are more of these 'flaws' in the
microsoft windows operating systems. Having admin priviliges means that
you can do anything with the system you want, for your actions to work
you need to have these rights and as suchs the flaw can only be
described as user error. You can not blame a vendor for including tools
to manage services. That would be the same as claiming that a unix root
user should not be able to do a rm -rf / it's up to users how stupid
they want to be, and you can't solve user ignorance with technical
solutions.
So, my conclusion is that your find is just the OS working like it
should be. Microsoft put the sc command in the OS on purpose and it is
even described and explained by ms in the books and on sites as msdn and
technet so it's not a 'secret command' of any kind, heck you could use
net stop "some service" or do far worse with the REG and registry
commands or even wmi scripting and/or powershell than disabeling
services, and all of those are usable from the commandline. So again,
your find is not an exploit in any way, shape or form and it's also not
a security threat, it's simply the OS acting like it should :)
Regards,
Jeroen
-----Original Message-----
From: Andrew Barkley <barkley@xxxxxxx>
To: Jeroen <nowhereman@xxxxxxxxxx>
Subject: Re: Circumventing Critical Security in Windows XP
Date: Sat, 20 Feb 2010 04:20:46 -0000
Hi,
Thank you for your reply.
Firstly, it goes without saying that given time, effort and resources,
exploitation of any kind will eventually succeed. However, exploitation
via this vector, now becomes a mere "tic in a box" so to speak. The
whole experience is instant, requiring no effort whatsoever, on the very
next reboot these critical security services are disabled.
Exploiting this vector does require Admin privileges, which is not
uncommon and also the default for most users, especially with regards to
Windows XP. Should this "specially created file" (HotFix.reg) now be
executed in any way, shape or form i.e. natively (disguised of course),
or even worse, embedded (obfuscated) within a harmless document,
spreadsheet etc; the consequences would be as follows:
In Summary
I've discovered a vector for exploitation, that requires no effort
whatsoever to circumvent the security of critical security services in
all versions of Windows XP & W2K. The implications of this vector being
exploited are clear.
It goes without saying that should this discovery become public
knowledge, this would in fact make it a very effective tool in the hands
of miscreants to immobilise critical security functions i.e. firewall,
antivirus, intrusion protection etc. In my opinion, this vector is
certainly not a vulnerability nor a flaw so to speak, but rather a
functional design oversight.
NOTE: This same technique can be obfuscated in any unsuspecting
document, spreadsheet etc. Thus, unsuspecting victims would be unaware
that their system's critical security services have been disarmed,
leaving them compromised and exposed to further exploitation.
This very specific vector I've discovered requires a mere execution of
the following "specially prepared file" (HotFix.reg). The following
critical security services (as an example) will be registered as
disabled, and on the very next reboot these critical security services
will be disabled, thus leaving the user exposed and unprotected.
To further demonstrate the real effectiveness and simplicity of
exploiting this vector, I've also packaged together the following simple
executable (HotFix.exe).
Example of critical security services affected
* BlackICE
* McAfee
* Pointsec
* ISS Proventia
* ZoneAlarm
* Avast
* AVG
* Trusteer Rapport
Kind regards
Andrew Barkley
------ Original Message ------
Received: Fri, 19 Feb 2010 03:42:55 PM GMT
From: Jeroen <nowhereman@xxxxxxxxxx>
To: barkley@xxxxxxx
Subject: Re: Circumventing Critical Security in Windows XP
Hey andrew,
I'm unable to reproduce your find on an unpatched XP machine,
aswell as
one with SP1 and one with SP2.
The only way I can reproduce the problem is by executing the
commands as
administrator which kind of defeats the whole purpose of your
'bug'.
When I run the command (as a normal user) as stated by you I get
the
error that manual is not a valid state, only boot|system|auto|
demand|
disabled seem to be valid. When trying disabled, I get the
notice that I
do not have sufficient rights.
Can you be more precise as to how and what you have tested?
Maybe the
bug is triggered by a certain hotpatch or otherwise?
Regards,
Jeroen
-----Original Message-----
From: barkley@xxxxxxx
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Circumventing Critical Security in Windows XP
Date: 17 Feb 2010 14:04:12 -0000
Hi,
I've detailed below just how easy (too easy) it is to circumvent
the
security of the following critical security services. Thus can't
now
become can!
It goes without saying that malware on entering a system by
whichever
means, and on detecting critical security services, can now even
more
easily (automated/scripted) disarm critical security services,
just by
modifying unprotected registry entries, for whatever malevolent
purposes.
I've created registry entries (I can send these to you should
you be
interested) to demonstrate just how easy it is to circumvent
the
security of these critical security services, which
unfortunately is
all too easily a very effective way of immobilising critical
security
functions i.e. firewall, antivirus etc. This in my opinion is
certainly not a vulnerability nor a flaw so to speak, but rather
a
functional design oversight?
I've verified this against the following with success. After
these
registry modifications have been effected and the system
rebooted,
these critical services will be disarmed.
BlackICE
McAfee
Pointsec
ISS Proventia
ZoneAlarm
On successfully disarming these security services, one could
also use
the following to then further manipulate the drivers & services,
by
reconfiguring their startup parameters to 'manual' and not
'automatic', or just disable them alltogether.
i.e. The following will reconfigure the startup parameters to
'manual'
and not 'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
C:\>sc config McTaskManager start= demand
C:\>sc config McAfeeFramework start= demand
C:\>sc config Pointsec_start start= demand
C:\>sc config Pointsec start= demand
Cheers
Andrew Barkley
(-_-)
