Coffeehouse Thread

184 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

UAC controversy - the last episode!

Back to Forum: Coffeehouse
  • User profile image
    Sven Groot

    longzheng said:
    CKurt said:
    *snip*

    The application that does the code injection does not ever need to show a UAC prompt. It does not need to be installed, nor does it need to be elevated to run the code injection.

    Furthermore, this risk is increased even more if you take into account remote code vulnerabilities in other unelevated applications. (Not low-privileged applications like IE though)

    That's the crux of the argument, in my opinion. My primary argument in favour of UAC that I've always used is that if there's a remote code execution vulnerability in e.g. Outlook, any exploit code cannot exceed Outlook's privilege level, it cannot elevate without the user's consent. Now, with Windows 7's default settings, it can.

    I do not understand why MS is pretending this isn't a bad thing.

  • User profile image
    Charles

    longzheng said:
    Charles said:
    *snip*

    Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

    "vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

    If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

    If not, how would you define vulnerabilities?

    Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

    C

  • User profile image
    longzheng

    Charles said:
    longzheng said:
    *snip*

    Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

    C

    Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

    Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

    One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

    "As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
    http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

    I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.

  • User profile image
    Sven Groot

    longzheng said:
    Charles said:
    *snip*

    Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

    Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

    One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

    "As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
    http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

    I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.

    See my argument about remote code execution vulnerabilities. I don't decide to run the code that comes in through an exploit, yet with Win 7's UAC it can silently elevate.

    As for there having been no attacks yet, that's a stupid argument. It advocates a purely reactionary approach to security, which is the exact opposite of "secure by default". In addition, 7's market penetration is still too low to make it a large target for attacks, and because it is still pre-release software, most people who are running it are technically proficient and therefore not likely to be prone to common attack strategies.

  • User profile image
    ManipUni

    Maybe Microsoft should just turn UAC off entirely if this is their position. Based on what they're saying it doesn't really do a great deal of anything at its default, least of all offer any protection for users. Either turn it up or turn it off. Anything else is just a waste of everyone's time.

    There are several bugs in the current UAC design default but the main issue is that bypass can be automated. While today you can inject and bypass, you have to guess what the user will elevate or trick the user into elevating your choice of process, and that adds complexity (and crashes?). With the new UAC you can entirely automate and verify the escalation of your process. Just launch a copy of calculator, inject, escalate, close calculator. Would take less than 1 sec. You will see toolkits, libraries, both on the white and grey markets before Windows 7 ships.

    UAC isn't a security boundary but it SHOULD be. It should replace Fast User Switching for the admin-user to user-user switch.

  • User profile image
    WithinRafael

    Charles said:
    longzheng said:
    *snip*

    Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

    C

    Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision.

    How do I, as a consumer, determine if what I'm executing is unsigned when zero prompts appear? The malware I ran, as far as I'm concerned, was a fancy mortage calculator. Oops, my machine is screwed now. "Mondo for Windows 7" just bit me.

  • User profile image
    Cream​Filling512

    Repeat after me, "UAC is not a security boundary!"  It's a convenience feature.

  • User profile image
    Charles

    Sven Groot said:
    longzheng said:
    *snip*

    See my argument about remote code execution vulnerabilities. I don't decide to run the code that comes in through an exploit, yet with Win 7's UAC it can silently elevate.

    As for there having been no attacks yet, that's a stupid argument. It advocates a purely reactionary approach to security, which is the exact opposite of "secure by default". In addition, 7's market penetration is still too low to make it a large target for attacks, and because it is still pre-release software, most people who are running it are technically proficient and therefore not likely to be prone to common attack strategies.

    Look. I want to be clear. I do not represent Microsoft's official position. I had nothing to do with the advent and evolution of UAC. Though my position represents stupity, it is most likely due to the fact that I don't think about this problem. I have nothing to to with UAC design and development. I have experienced 0 issues with UAC on Win 7. It prompts me when I install applications, change certain system settings. You know, the things I expect it to do. If it is vulnerable to attack, then I'd imagine the WIndows team will fix the exploit. If it's vulnerable by attack only if you have a currently executing process that can silently elevate, well, you have a currently executing malicious binary. How did it get on your machine? Silently? How does that work, exactly?

    I'm fine with being stupid. Please do increase my understanding.

    C

  • User profile image
    brian.​shapiro

    Charles said:
    Sven Groot said:
    *snip*

    Look. I want to be clear. I do not represent Microsoft's official position. I had nothing to do with the advent and evolution of UAC. Though my position represents stupity, it is most likely due to the fact that I don't think about this problem. I have nothing to to with UAC design and development. I have experienced 0 issues with UAC on Win 7. It prompts me when I install applications, change certain system settings. You know, the things I expect it to do. If it is vulnerable to attack, then I'd imagine the WIndows team will fix the exploit. If it's vulnerable by attack only if you have a currently executing process that can silently elevate, well, you have a currently executing malicious binary. How did it get on your machine? Silently? How does that work, exactly?

    I'm fine with being stupid. Please do increase my understanding.

    C

    I don't find any of this a big deal personally because in my experience its pretty easy to avoid getting viruses, UAC or not. But one of the the aspects of UAC I appreciate is that it lets you know if a program that you didn't intend to run is trying to get permission, such as something that may have been added to your Windows startup process.

     Am I wrong to say that the exploit circumvents this feature of UAC?

  • User profile image
    Charles

    brian.shapiro said:
    Charles said:
    *snip*

    I don't find any of this a big deal personally because in my experience its pretty easy to avoid getting viruses, UAC or not. But one of the the aspects of UAC I appreciate is that it lets you know if a program that you didn't intend to run is trying to get permission, such as something that may have been added to your Windows startup process.

     Am I wrong to say that the exploit circumvents this feature of UAC?

    No, you're not wrong to question behavior. But how did the exploiting code get on your system?

    C

  • User profile image
    brian.​shapiro

    Charles said:
    brian.shapiro said:
    *snip*

    No, you're not wrong to question behavior. But how did the exploiting code get on your system?

    C

    Exactly, which is why I don't really care about UAC that much to begin with. But I see UAC as pretty useless with the exploit.

  • User profile image
    ManipUni

    brian.shapiro said:
    Charles said:
    *snip*

    Exactly, which is why I don't really care about UAC that much to begin with. But I see UAC as pretty useless with the exploit.

    If Charles is to be believed it is pretty useless with or without this exploit.

  • User profile image
    Charles

    Suppose one creates an algoritm that diables the ability of the OS to connect to the Internet (well, for maliciously naughty reasons, it can connect to the hacker's devious representation of the Internet, anyway...). If you attempt to download this exploit, then you will be warned. If you try and execute the binary, then UAC will prompt you. Or are you saying you can get around this UAC behavior as part of the very UAC exploit that is the basis of this argument?

    C

  • User profile image
    ManipUni

    Charles said:

    Suppose one creates an algoritm that diables the ability of the OS to connect to the Internet (well, for maliciously naughty reasons, it can connect to the hacker's devious representation of the Internet, anyway...). If you attempt to download this exploit, then you will be warned. If you try and execute the binary, then UAC will prompt you. Or are you saying you can get around this UAC behavior as part of the very UAC exploit that is the basis of this argument?

    C

    Take my scenario:
    You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

    What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

  • User profile image
    Charles

    ManipUni said:
    Charles said:
    *snip*

    Take my scenario:
    You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

    What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

    Interesting. So, it uses Calculator to escalate. Of course, it got on to the system to execute in context (I believe you used an exploit in an installed application as the doorway fo the exploit package). But, forget that for now. Can you elaborate on the UAC exploit pattern?

    C

  • User profile image
    Cream​Filling512

    These exploits are useless unless you run your machine as an Administrator?

  • User profile image
    WithinRafael

    ManipUni said:
    Charles said:
    *snip*

    Take my scenario:
    You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

    What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

    You're making this harder than it needs to be. It's easier to just say... Mom downloads SuperCalculator.exe onto her desktop. She executes this program. While the calculator UI appears, it silently injects itself into Explorer, gains elevated abilities, and sets up all sorts of nastyness.

    No prompts. Nothing.

  • User profile image
    ManipUni

    Charles said:
    ManipUni said:
    *snip*

    Interesting. So, it uses Calculator to escalate. Of course, it got on to the system to execute in context (I believe you used an exploit in an installed application as the doorway fo the exploit package). But, forget that for now. Can you elaborate on the UAC exploit pattern?

    C

    Launch Calculator. Find Calculator's process. Use WriteProcessMemory to inject instructions into the process. Have calculator escalate either Adobe Reader or any other process of your choice.

    Why wouldn't this work with full UAC?
    Because Calculator isn't running with the rights to escalate Adobe Reader or anything else.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.