OT Operating System Design WAS RE: [thelist] RE: blaster worm punishment

Keith Gaughan keith at digital-crew.com
Thu Feb 3 06:50:11 CST 2005 

Ken Schaefer wrote:

> : -----Original Message-----
> : From: thelist-bounces at lists.evolt.org
> [mailto:thelist-bounces at lists.evolt.org] On
> : Behalf Of Keith Gaughan
> : Subject: Re: OT Operating System Design WAS RE: [thelist] RE: blaster worm
> : punishment
> : 
> : > What exactly is "shoddy" about the design of the OS itself?
> : 
> : Amongst other things, I'll just mention my two joint pet hates: the
> : LocalSystem user, aka "uber-root", the WM_TIMER message. I'll say no
> : more 'cause Google is your friend.
> 
> Ah, a post that has just enough technical terms to be beyond a rant, but
> vague enough that the poster can not be pinned down to the details of the
> shoddiness that they purport to be showing us. :-)

Aw, it's not that bad! And you proved it because you correctly
identified the attack I was thinking of as the shatter attack.

> Googling for either of those two, plus your name, doesn't return any hits,

Why'd you google for my name with it?

> Now, you could be referring to a security vulnerability that was patched back
> in 2002.

Oh, no it wasn't. MS put out a press release saying that it wasn't an
issue seeing as you'd need at least guest access to the machine to do
it. They never actually did anything about it.

My point is that a trojan could still use this to elevate its
privileges. Or, for that matter, a regular restricted user. All it takes
is access to the machine and one bad app.

> This vulnerability was the basis for so-called "shatter" attacks. An
> attacker with local privileges could elevate those privileges *if* they
> could, using WM_Timer messages, somehow send commands to a more privileged
> program or service that happened to interact with the desktop. Application
> layer software firewalls were a favourite target, because they failed to draw
> desktop windows using the current user's credentials, but did so rather with
> LocalSystem credentials (they typically installed themselves as services
> running in that context). As mentioned, that was patched in 2002 (MS02-071).

A patch that only applied to MS's own services. The underlying flaw
still exists.

> I'm not sure that shows "shoddy" OS design. When WM_Timer was added to the
> Win32 API in the Windows NT 3.1 days (according to MSDN), no one probably
> foresaw programs like software firewalls running in privileged mode and (for
> reasons best known to the developers of such firewalls) that those programs
> would draw windows on the desktop using LocalSystem as well.

The shoddy design is that WM_TIMER requires the address of a callback
function rather than a timer reference id. Dispatching to a callback
function in response *should*, in a properly designed system, be done
inside the application. It was a quick and lazy way of implementing it.

K.

More information about the thelist mailing list