<<< Date Index >>>     <<< Thread Index >>>

RE: Windows Vista Power Management & Local Security Policy



So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?

--
Abe Getchell
me@xxxxxxxxxxxxxxx
https://abegetchell.com/

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@xxxxxxxxxxxxxxx; Jim Harrison; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Windows Vista Power Management & Local Security Policy
> 
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense?  This is
> the
> one million and fourth time:  "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter.  Period."
> 
> t
> 
> 
> 
> > -----Original Message-----
> > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
> > Sent: Saturday, July 19, 2008 12:33 AM
> > To: 'Jim Harrison'; bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > As stated in my original e-mail to the list, I definitely don't think
> > that
> > this is a security vulnerability in a traditional sense. I completely
> > agree
> > with you. Think about it this way... When you press the power button
> on
> > the
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > could
> > write a program which e-mails him the contents of her "My Documents"
> > folder
> > that is triggered by a hook into that process. All Jim needs to do is
> > get
> > Nancy to run that program on her system (not hard) and walk by her
> > office
> > when she's not there and hit the power button (also not hard). So
> what
> > can
> > _I_ do with this bug? Not much, I'm not that great of a programmer...
> > but I
> > think someone out there could do some nasty stuff.
> >
> > --
> > Abe Getchell
> > me@xxxxxxxxxxxxxxx
> > https://abegetchell.com/
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Saturday, July 19, 2008 1:36 AM
> > > To: 'me@xxxxxxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > Abe,
> > >
> > > Other than a denial-of-service from the console (is the power
> switch
> > > now a security vuln, too?), what can you do with this bug?  It's
> > > absolutely, unquestionably a "bug"; the user should see behavior as
> > > dictated by logic and described in the documentation, but a
> "security
> > > vulnerability"?
> > >
> > > I think that's stretching things juuuuuust a bit.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
> > > Sent: Thursday, July 17, 2008 7:39 PM
> > > To: bugtraq@xxxxxxxxxxxxxxxxx
> > > Subject: Windows Vista Power Management & Local Security Policy
> > >
> > > When the security option "Shutdown: Allow system to be shutdown
> > without
> > > having to log on" (in the local security policy) is set to
> "Disable",
> > > and
> > > the power management setting "When I press the power button" is set
> > to
> > > "Shut
> > > Down", it is possible for an unauthenticated user to press the
> power
> > > button
> > > at the Windows logon screen and gracefully shutdown the system. The
> > > explanation of this security option, taken from the local security
> > > policy,
> > > is as follows:
> > >
> > > "Shutdown: Allow system to be shut down without having to log on
> > >
> > > This security setting determines whether a computer can be shut
> down
> > > without
> > > having to log on to Windows.
> > >
> > > When this policy is enabled, the Shut Down command is available on
> > the
> > > Windows logon screen.
> > >
> > > When this policy is disabled, the option to shut down the computer
> > does
> > > not
> > > appear on the Windows logon screen. In this case, *users must be
> able
> > > to log
> > > on to the computer successfully and have the Shut down the system
> > user
> > > right
> > > before they can perform a system shutdown*.
> > >
> > > Default on workstations: Enabled.
> > > Default on servers: Disabled."
> > >
> > > Note the text between the asterisks. While this bug isn't
> necessarily
> > a
> > > software flaw allowing for an intrusion into the system in a
> > > traditional
> > > sense, it does set a bad precedence in that power management has a
> > free
> > > pass
> > > to bypass local security policy and perform actions expressly
> against
> > > the
> > > defined policy. It appears that the only impact the use of this
> > > security
> > > option actually has is enabling or disabling the display of the
> > "power
> > > button" on the Windows logon screen (locally only - this setting
> has
> > no
> > > affect on remote desktop connections - the "power button" is not
> > > displayed
> > > in either case), not actually preventing anyone from (gracefully)
> > > shutting
> > > down the system without logging in.
> > >
> > > I reported this to the MSRC on 6/25/2008 and their stance was that
> > this
> > > wasn't a security vulnerability, but was likely a bug, and was
> passed
> > > directly to the product team to investigate through their normal
> bug
> > > triage
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me@xxxxxxxxxxxxxxx
> > > https://abegetchell.com/
> > >
> > >
> >