MS and security: good effort but no cigar

Issues remain

Last week I watched the webcast of Bill Gates speaking at the RSA conference in San Francisco. He talked about Microsoft's plans to build upon the progress it's already made in security. These plans included better protection against spyware and spam. Gates also announced Microsoft's intention to release Internet Explorer 7, complete with a number of security improvements, by the end of this year.

Looking back, the company has indeed made notable progress in the security of its software. Windows XP SP2 is a significant achievement, and Gates reported that over 170 million people have downloaded the update. The low-hanging fruit of millions of insecure Windows machines is rapidly falling from the tree.

But we're not out of the woods yet. If you can gain any user access to a Windows system, it is still surprisingly easy to completely own that box. So far, these problems have been overshadowed by the countless remote holes we've seen in recent years, but privilege escalation by authorized users is an important issue today that is still too easy to exploit.

Take, for example, the way that Windows handles file paths with spaces. Suppose that you want to run the following command:

C:\Program Files\Internet Explorer\iexplore

One cool thing about Windows is that although the path contains a space, it still runs the application fine, even if you don't place quotes around the entire command and even if you don't use the executable extension for iexplore.exe.

But how does Windows know where the program path ends and the program's command line parameters begin? How does it know that the user isn't trying to run a program named "C:\Program.exe" with the parameter "Files\Internet Explorer\iexplore?"

The problem is that it doesn't know. It just starts at the beginning and tries finding an executable until it finds a match. So in this case, it will try these files every time you run the command:

C:\Program Files\Internet.exe
C:\Program Files\Internet Explorer\iexplore.exe

You might see where I'm going with this: if you place an executable named program.exe in the root directory, it will probably end up running quite a bit. In fact, it will run anytime Windows launches a Program Files executable that does not have quotes around the path.

Microsoft certainly is aware of this issue. In fact, it was probably a design decision at some point. If you run Windows XP, try placing an executable named program.exe and reboot your system. When it restarts, Windows will warn you about the complications of having that file there.

Here's the problem: there are thousands of paths in the registry that do not have quotes around them, and many Windows systems have weak NTFS permissions that allow any user to write to the root directory. This is bad. As an experiment, I created a small program that simply logged every time it ran and under what user context. I rebooted and checked my Event Log. It turned out that on my system it ran eight times, twice under the context of the SYSTEM account and the rest as my own administrative account.

Of course, I got the message box warning of the file, so I made a slight modification to my program.exe. It turns out there is a registry key that you can set to turn off this warning. I simply change that setting every time my program runs. Since the first couple instances executed before I even logged in, there was no warning at all. And of course, there are plenty other executable name variations that Windows does not check.

Criminals get smarter

This could be a serious issue, and it's not the only one. Another weakness is all the batch files and scripts that administrators use. Sure, scripts are convenient, but you must take care to protect these files. Too many administrators leaving them laying around in directories where Everyone has write access to the files. All an attacker with low-privileged access needs to do is add their code of choice to the end of your script and it runs under your security context the next time you use the script.

Fortunately, Windows allows you to enforce script signing policies, but there is no way to enforce signing of a batch file. You must also protect files such as .reg, and .inf that an attacker might exploit. If you use scripts on your servers, make sure they have strong NTFS permissions.

Then there's the issue of poorly secured server applications. In my experience, third party Windows mail servers are particularly vulnerable. Some let you run code based on an email message, use executable auto-responders, and execute external virus and filtering applications. But what happens if the user is able to run any application of choice?

I have seen many, many mail server directories that allow all users full control over the files in that directory. Sometimes it's the mail server installer that does this and sometimes it is the administrator's fault. Some mail servers even require loose permissions for some user features to work properly.

This means that regular users can modify these settings and send themselves an email to get executables running in the context of the mail server's service - which is often the SYSTEM account. Obviously, I'm oversimplifying what's involved here, but take a close look at the file permissions for your server applications. Can users get the server to run their code?

Depending on your server, you should even consider denying all access to any account besides the service account. Too many server applications store user passwords using weak encryption and all an attacker might need is Read access to that file. Many of these flaws are well known, and there are many more that are still not publicly known. Most users do not need Read access to these files.

So far, I have only scratched the surface. There are problems with FTP client apps storing passwords, browser issues, auto run issues, and of course, the serious problems of physical server access. We have raised the bar some, but we are nowhere near done. If you have any access to a system, you can likely gain administrative access.

Sure, Microsoft is eliminating the low-hanging fruit. But what happens when there is no more low-hanging fruit? Crime doesn't stop because it is harder. Criminals get smarter. The question is, will we be ready when that time comes?

Copyright © 2004, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

Gates: security concerns propel IE7 launch
Banking Trojan disables MS Anti-Spyware
Microsoft posts record 13 patches

Other stories you might like

  • NASA's InSight doomed as Mars dust coats solar panels
    The little lander that couldn't (any longer)

    The Martian InSight lander will no longer be able to function within months as dust continues to pile up on its solar panels, starving it of energy, NASA reported on Tuesday.

    Launched from Earth in 2018, the six-metre-wide machine's mission was sent to study the Red Planet below its surface. InSight is armed with a range of instruments, including a robotic arm, seismometer, and a soil temperature sensor. Astronomers figured the data would help them understand how the rocky cores of planets in the Solar System formed and evolved over time.

    "InSight has transformed our understanding of the interiors of rocky planets and set the stage for future missions," Lori Glaze, director of NASA's Planetary Science Division, said in a statement. "We can apply what we've learned about Mars' inner structure to Earth, the Moon, Venus, and even rocky planets in other solar systems."

    Continue reading
  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading
  • Alibaba Cloud adds third datacenter in Germany
    More Euro-presence than any other Chinese company, but still nowhere near Google or AWS

    Alibaba has pulled ahead of its Chinese rivals in Europe with the opening of a third datacenter in Germany.

    The company said the Frankfurt datacenter serves cloud computing products to Europe and "adheres to the highest security standards and the strict compliance regulations set out in the Cloud Computing Compliance Controls Catalog (C5) in Germany."

    The addition brings Alibaba Cloud to a network of 84 availability zones in 27 regions worldwide. The company's first European cloud center arrived in Frankfurt in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2022