RE: Windows Vista Power Management & Local Security Policy
I understand all of that, which is precisely the reason I put it out there.
The example I put forth might have been a bad one (given that it relies on
an additional piece of code to be installed on a target machine), but
there's probably more to this issue than I can deduce. I'll let those more
versed in that area of security figure it out. As a side note, check out
some of the conversations on the Linux Kernel mailing list about power
management and security. Interesting stuff.
--
Abe Getchell
me@xxxxxxxxxxxxxxx
https://abegetchell.com/
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@xxxxxxxxxxxxxxx'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
> (not imagined) functionality & security
> 2. unless this provides some exploit that doesn't start with "if I can
> install software on the host", it's not more than "a bug in a security
> mechanism"
>
> If someone can demonstrate an actual vulnerability or exploit on the
> basis of this bug _alone_, then they may have something to make noise
> about. There are enough real bugs and security vulns in software to
> deal with. Not every security issue spells doom and damnation or
> warrants immediate corrective response from the vendor.
>
> Jim
>
> -----Original Message-----
> From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
> Sent: Sunday, July 20, 2008 12:32 PM
> To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> So, you guys don't think it's an issue that power management in Vista
> (apparently) has a pass to bypass local security policy?
>
> --
> Abe Getchell
> me@xxxxxxxxxxxxxxx
> https://abegetchell.com/
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Saturday, July 19, 2008 6:20 PM
> > To: me@xxxxxxxxxxxxxxx; Jim Harrison; bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > If Jim is going to get Nancy to run a program, and that's "not all
> that
> > hard," then why not just have that program do what you want in the
> > first
> > place rather than worrying about the power switch nonsense? This is
> > the
> > one million and fourth time: "If your 'vulnerability' begins with
> 'if
> > I
> > can get the user to run code' then whatever comes after the 'then'
> > doesn't matter. Period."
> >
> > t
> >
> >
> >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
> > > Sent: Saturday, July 19, 2008 12:33 AM
> > > To: 'Jim Harrison'; bugtraq@xxxxxxxxxxxxxxxxx
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > As stated in my original e-mail to the list, I definitely don't
> think
> > > that
> > > this is a security vulnerability in a traditional sense. I
> completely
> > > agree
> > > with you. Think about it this way... When you press the power
> button
> > on
> > > the
> > > machine and it performs a graceful shutdown, stuff happens inside
> of
> > > the
> > > operating system. That stuff happens at an elevated privilege
> level.
> > If
> > > there were some way to hook into the stuff that happens, you (as an
> > > unauthenticated user), could do bad things (besides simply shutting
> > > down the
> > > system) using that hook simply by pressing the power button at the
> > > logon
> > > screen. For example, if Jim wants to know what Nancy is working on,
> > he
> > > could
> > > write a program which e-mails him the contents of her "My
> Documents"
> > > folder
> > > that is triggered by a hook into that process. All Jim needs to do
> is
> > > get
> > > Nancy to run that program on her system (not hard) and walk by her
> > > office
> > > when she's not there and hit the power button (also not hard). So
> > what
> > > can
> > > _I_ do with this bug? Not much, I'm not that great of a
> programmer...
> > > but I
> > > think someone out there could do some nasty stuff.
> > >
> > > --
> > > Abe Getchell
> > > me@xxxxxxxxxxxxxxx
> > > https://abegetchell.com/
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Saturday, July 19, 2008 1:36 AM
> > > > To: 'me@xxxxxxxxxxxxxxx'; bugtraq@xxxxxxxxxxxxxxxxx
> > > > Subject: RE: Windows Vista Power Management & Local Security
> Policy
> > > >
> > > > Abe,
> > > >
> > > > Other than a denial-of-service from the console (is the power
> > switch
> > > > now a security vuln, too?), what can you do with this bug? It's
> > > > absolutely, unquestionably a "bug"; the user should see behavior
> as
> > > > dictated by logic and described in the documentation, but a
> > "security
> > > > vulnerability"?
> > > >
> > > > I think that's stretching things juuuuuust a bit.
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx]
> > > > Sent: Thursday, July 17, 2008 7:39 PM
> > > > To: bugtraq@xxxxxxxxxxxxxxxxx
> > > > Subject: Windows Vista Power Management & Local Security Policy
> > > >
> > > > When the security option "Shutdown: Allow system to be shutdown
> > > without
> > > > having to log on" (in the local security policy) is set to
> > "Disable",
> > > > and
> > > > the power management setting "When I press the power button" is
> set
> > > to
> > > > "Shut
> > > > Down", it is possible for an unauthenticated user to press the
> > power
> > > > button
> > > > at the Windows logon screen and gracefully shutdown the system.
> The
> > > > explanation of this security option, taken from the local
> security
> > > > policy,
> > > > is as follows:
> > > >
> > > > "Shutdown: Allow system to be shut down without having to log on
> > > >
> > > > This security setting determines whether a computer can be shut
> > down
> > > > without
> > > > having to log on to Windows.
> > > >
> > > > When this policy is enabled, the Shut Down command is available
> on
> > > the
> > > > Windows logon screen.
> > > >
> > > > When this policy is disabled, the option to shut down the
> computer
> > > does
> > > > not
> > > > appear on the Windows logon screen. In this case, *users must be
> > able
> > > > to log
> > > > on to the computer successfully and have the Shut down the system
> > > user
> > > > right
> > > > before they can perform a system shutdown*.
> > > >
> > > > Default on workstations: Enabled.
> > > > Default on servers: Disabled."
> > > >
> > > > Note the text between the asterisks. While this bug isn't
> > necessarily
> > > a
> > > > software flaw allowing for an intrusion into the system in a
> > > > traditional
> > > > sense, it does set a bad precedence in that power management has
> a
> > > free
> > > > pass
> > > > to bypass local security policy and perform actions expressly
> > against
> > > > the
> > > > defined policy. It appears that the only impact the use of this
> > > > security
> > > > option actually has is enabling or disabling the display of the
> > > "power
> > > > button" on the Windows logon screen (locally only - this setting
> > has
> > > no
> > > > affect on remote desktop connections - the "power button" is not
> > > > displayed
> > > > in either case), not actually preventing anyone from (gracefully)
> > > > shutting
> > > > down the system without logging in.
> > > >
> > > > I reported this to the MSRC on 6/25/2008 and their stance was
> that
> > > this
> > > > wasn't a security vulnerability, but was likely a bug, and was
> > passed
> > > > directly to the product team to investigate through their normal
> > bug
> > > > triage
> > > > process. After some back and forth, there was silence, and I let
> > them
> > > > know I
> > > > was going to release this information to the community.
> > > >
> > > > This was tested on Windows Vista SP1 (32-bit).
> > > >
> > > > --
> > > > Abe Getchell
> > > > me@xxxxxxxxxxxxxxx
> > > > https://abegetchell.com/
> > > >
> > > >
> > >
>
>