[SecurityRatty] tag: elevation

6 Months And Counting For Microsoft On CVE-2008-1436

Thu, 16 Oct 2008 11:24:58 +0000

In April of this year Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306). Microsoft never provides gory details to vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS which are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem. Here we are, 6 months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on Technet, following an update to the advisory to note the availability of the proof-of-concept code. It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those 3rd parties you see linked on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (2 out of 5, 1 step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds which it says are effective against the proof-of-concept, at the cost of some administrative burden. They also say that they are unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog. Still, 6 months! What Dustin said was "...we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. 6 months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking 3rd party code. Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative 3rd parties to update their own software, so that the fix won't have the same impact. But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and by the time it's invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take their time doing it right.

Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit

Tue, 30 Sep 2008 18:46:47 +0000

Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows [...]

Apple Finally Patches DNS Bug

Thu, 31 Jul 2008 19:12:34 +0000

After taking guff in the press for a while for their lack of a patch for the famous recent DNS bug, Apple has finally issued a patch. The update it comes in also patches 16 other vulnerabilities.

Open Scripting Architecture—Privilege elevation bug when loading plugins.
CarbonCore—A stack overflow in handling long file names. Potential code execution.
CoreGraphics—2 bugs, both code execution, one for malicious graphics the other for malicious PDFs.
Data Detectors Engine—Engine may crash when parsing maliciously crafted content.
Disk Utility—A local user may obtain System privileges.
OpenLDAP—An ASN parsing bug can lead to a crash.
OpenSSL—A range checking error from last September (Red Hat patched it in 2 weeks) can lead to remote code execution.
PHP—5 different bugs, the worst of which can lead to remote code execution.
QuickLook—A maliciously-crafted Microsoft Office file can cause QuickLooks to crash or allow remote code execution.
rsync—Path validation errors, which were also reported in 2007, are resolved.

Apple Finally Patches DNS Bug

Thu, 31 Jul 2008 19:12:34 +0000

After taking guff in the press for a while for its lack of a patch for the famous recent DNS bug, Apple has finally issued a patch. The update it comes in also patches 16 other vulnerabilities:

Open Scripting Architecture—Privilege elevation bug when loading plug-ins.
CarbonCore—A stack overflow in handling long file names. Potential code execution.
CoreGraphics—Two bugs, both code execution, one for malicious graphics, the other for malicious PDFs.
Data Detectors Engine—Engine may crash when parsing maliciously crafted content.
Disk Utility—A local user may obtain System privileges.
OpenLDAP—An ASN parsing bug can lead to a crash.
OpenSSL—A range checking error from last September (Red Hat patched it in two weeks) can lead to remote code execution.
PHP—Five different bugs, the worst of which can lead to remote code execution.
QuickLook—A maliciously crafted Microsoft Office file can cause QuickLooks to crash or allow remote code execution.
rsync—Path validation errors, which were also reported in 2007, are resolved.

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

Arnon Rotem-Gal-Oz on SOA Security

Mon, 14 Jul 2008 09:40:01 +0000

Arnon cites his paper which builds on Deutsch, Gosling and Joy's famous Fallacies of Distributed Computing, specifically Fallacy #4 "the network is secure" These are common mistakes people make when building disiributed apps. Arnon blogged this:

In my opinion, assuming the network is secure for an SOA is not only naïve but negligence pure and simple. The whole premise of moving an organization to SOA is connectedness and integration. So, unless your SOA will fail it will be connected to other systems. Whether you are building RESTful systems, WS-* SOAs, EDAs or any combination of these architectural styles, If you won’t treat the services boundary as a border and secure it – you will be sorry…
Security in SOA should be considered at the "grand-scheme" level with issues like authertication, authorization but also at the single service level, looking at issues like DDOS, SQL injection, elevation of privilige and what not. A trivial thing like exposing a transaction beyond service boundaries can translate to an attacker denying services in your system simply by locking out your database. Again, this is just a simple example.
The other thing about Security is that you have to consider it early. patching security "later on" can have devestating effects on a system's capabilites esp. in areas related to performance. I have seen even military systems that had to go through serious rework, just because Security was added as an afterthought instead of handled early on

This is a great way to think about the problem, and as Arnon says its not just an issue with SOA security, its a pervasive issue. If you think REST+SSL is a security architecture then you should consider what threats you are choosing *not* to deal with.

Also, Arnon articulated what I call the gateway vulnerability problem. SOA, Web services, REST et al are fundamentally gateway, interoperability focused technologies. And they are for the most part, great at providing simplified access to back end systems. The problem is that your mainframe, ERP, CRM, et al were never designed for anything remotely resembling an Internet threat model. So you just provided a gateway to a system that from a security standpoint is underpowered. The gateway is not the problem but what lies behind it.

In school they called marijuana a gateway drug because it led to heroin usage, in web services security if you put a Web service in front of your back end creating a vulnerable gateway to that which runs your business then your sys admin may wind doing heroin.

Windows Admin Goodies From Microsoft

Mon, 02 Jun 2008 14:03:05 +0000

Microsoft has released a couple of handy items for Windows administrators. Neither are really big deals, but conveniences. We all use Microsoft's Sysinternals tools, written by Mark Russinovich and Bryce Cogswell, but it's been a minor pain keeping up with all the updates they put out and installing them. Now, if you don't want to, you don't have to bother: You can get the tools live off the web and run them directly rather than going through the obfuscatory Microsoft Download Center and then having to unzip a file or run an installer.. Go to the Sysinternals Live web page. You'll see a directory listing of the current files in the Sysinternals set. For instance, the current version of Process Explorer is http://live.sysinternals.com/procexp.exe. In IE you can choose to run directly from the browser, but you can also create shortcuts on the desktop or in the Start Menu system to these files, and every time you run that shortcut you'll be running the current version. You do need to go through some confirmations, agreeing to the license, etc. The second trick is the Elevation PowerToys for Windows Vista. These expand the Windows RunAs functionality to some popular 3rd party admin tools, like KiXtart and ActivePerl. Some examples combine it with the Elevate power tool to allow you to do RunAs for programs, like the MMC, which are often resistant to RunAs. There is also a PowerToy for running a CMD shell or PowerShell as the SYSTEM account.

Windows Admin Goodies from Microsoft

Mon, 02 Jun 2008 14:03:05 +0000

Microsoft has released a couple of handy items for Windows administrators. Neither are really big deals, but conveniences. We all use Microsoft's Sysinternals tools, written by Mark Russinovich and Bryce Cogswell, but it's been a minor pain keeping up with and installing all the updates they put out. Now, if you don't want to, you don't have to bother: You can get the tools live off the Web and run them directly rather than going through the obfuscatory Microsoft Download Center and then having to unzip a file or run an installer.. Go to the Sysinternals Live Web page. You'll see a directory listing of the current files in the Sysinternals set. For instance, the current version of Process Explorer is http://live.sysinternals.com/procexp.exe. In IE you can choose to run directly from the browser, but you can also create shortcuts on the desktop or in the Start Menu system to these files, and every time you run that shortcut you'll be running the current version. You do need to go through some confirmations, agreeing to the license, etc. The second trick is the Elevation PowerToys for Windows Vista. These expand the Windows RunAs functionality to some popular third-party admin tools, like KiXtart and ActivePerl. Some examples combine it with the Elevate power tool to allow you to do RunAs for programs, like the MMC, which are often resistant to RunAs. There is also a PowerToy for running a CMD shell or PowerShell as the SYSTEM account.

More on Fallacy #4

Fri, 16 May 2008 09:04:06 +0000

Steve Jones on Rest and Distributed Computing Fallacies

One of the objections I've had about REST for a while is that it appears to ignore Deutsch's fallacies of network computing
1. The network is reliable.

2. Latency is zero.

3. Bandwidth is infinite.

4. The network is secure.

5. Topology doesn't change.

6. There is one administrator.

7. Transport cost is zero.

8. The network is homogeneous.

Now REST specifies 8, assumes 1, 2 and 3 and takes 4 to mean HTTP/S with Basic Authentication. Now to be clear I've seen people doing Web Services who believe in pretty much all 8 of these fallacies and they create crap systems. But with things like WS-RM and WS-Security at least there are answers to a few elements.

That basic auth is bypassable has been known for some time, thanks to Amit Klein. It would be nice to Restafarians move the conversation towards better security models like SAML and WS-Security. The current state for Rest is both disappointing and weak. The response side is pretty solveable using XML Signature and XML Encryption to sign and encrypt the responses (of course someone will need to tell the "you just leverage the existing infrastructure types" that we'll need to be deploying keys and certs to all the endpoints but at least the primitives are there on the response side), the request side remains problematic.

More on the Fallacies by Arnon Rotem-Gal-Oz, who incidentally if you are interested in building a secure service has an interesting Service Firewall pattern, which I refer to as a TIDE firewall - dealing with Tampering, Information Disclosure, Denial of Service, and Elevation of Privilege threats at the edge. I understand why Arnon left Spoofing off his list, but would like to see him add audit logging to deal with Dispute.

Microsoft rings alarm on Windows rights bug

Fri, 18 Apr 2008 09:00:00 +0000

Microsoft is warning users of an "elevation of privilege" flaw in most versions of Windows, but did not say whether it would release a patch for the problem, or when it would do so if it does come up with a fix.