Vista Security - Just another pipe dream by M$

[Default User]

Another serious crack in the armor of UAC has emerged and is likely to be
heavily exploited in the near future.

Windows Vista: Non-privileged code can redirect shortcuts to intercept
privilege elevation requests
http://www.securityfocus.com/archive.../30/0/threaded

"Tested on x86 and x64 editions of Windows Vista Ultimate, though this
exploit should function correctly on all x86 and x64 editions of Windows
Vista.

This exploit requires an attack vector such as a Trojan horse. However, in
light of the enormous success of such types of attacks in the past, and the
fact that User Account Control (UAC) would be expected to protect the user
from doing something particularly dangerous to the machine, this should be
considered exploitable.

Non-privileged code can be used to replace shortcuts on the Start Menu and
intercept elevation of privileges. Because of the way the Start Menu is
constructed, users can enumerate all of the shortcuts that appear on their
menus because they have read access to the folders where the shortcuts
reside. The Start Menu is composited of a common folder and the specific
user's folder, preferring the user folder if duplicates exist.

Using COM and the .NET Framework, a stub EXE generator can be created that
will check for the presence of privilege elevation before launching the
original target process (in order to not alert the user to the fact that
the target is infected). The .NET CLR is installed by default on Windows
Vista and so can be used as part of the attack vector.

The proof-of-concept enumerates the shortcuts on the user's menu and the
common menu and creates or modified user-local shortcuts to exploitable
executables via proxy EXEs. It generates the proxy executables and then
writes a text file to the Windows\System32 folder once a proxy executable
has been run with elevation. The proof-of-concept code is available at
http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio
2005 to compile.

A whitepaper detailing the architecture of UAC and this exploit is also
available at
http://www.robpaveza.net/VistaUACExp...Whitepaper.pdf. The
whitepaper details the implementation of the Proof of Concept as well, and
goes into significantly more detail than this (I'm sorry that this is
short, but I've been working on writing this up for quite a while and just
want it to be over)."


What was Microsoft's response to using third-party security products... oh,
yeah, "they're nothing but feel-good fluff on Vista"... guess again.

[Jim Higgins]

Default User wrote:
> Another serious crack in the armor of UAC has emerged and is likely to be
> heavily exploited in the near future.
>
> Windows Vista: Non-privileged code can redirect shortcuts to intercept
> privilege elevation requests
> http://www.securityfocus.com/archive.../30/0/threaded
>
> "Tested on x86 and x64 editions of Windows Vista Ultimate, though this
> exploit should function correctly on all x86 and x64 editions of Windows
> Vista.
>
> This exploit requires an attack vector such as a Trojan horse. However, in
> light of the enormous success of such types of attacks in the past, and the
> fact that User Account Control (UAC) would be expected to protect the user
> from doing something particularly dangerous to the machine, this should be
> considered exploitable.
>
> Non-privileged code can be used to replace shortcuts on the Start Menu and
> intercept elevation of privileges. Because of the way the Start Menu is
> constructed, users can enumerate all of the shortcuts that appear on their
> menus because they have read access to the folders where the shortcuts
> reside. The Start Menu is composited of a common folder and the specific
> user's folder, preferring the user folder if duplicates exist.
>
> Using COM and the .NET Framework, a stub EXE generator can be created that
> will check for the presence of privilege elevation before launching the
> original target process (in order to not alert the user to the fact that
> the target is infected). The .NET CLR is installed by default on Windows
> Vista and so can be used as part of the attack vector.
>
> The proof-of-concept enumerates the shortcuts on the user's menu and the
> common menu and creates or modified user-local shortcuts to exploitable
> executables via proxy EXEs. It generates the proxy executables and then
> writes a text file to the Windows\System32 folder once a proxy executable
> has been run with elevation. The proof-of-concept code is available at
> http://www.robpaveza.net/VistaUACExploit/PoC.zip and requires Visual Studio
> 2005 to compile.
>
> A whitepaper detailing the architecture of UAC and this exploit is also
> available at
> http://www.robpaveza.net/VistaUACExp...Whitepaper.pdf. The
> whitepaper details the implementation of the Proof of Concept as well, and
> goes into significantly more detail than this (I'm sorry that this is
> short, but I've been working on writing this up for quite a while and just
> want it to be over)."
>
>
> What was Microsoft's response to using third-party security products... oh,
> yeah, "they're nothing but feel-good fluff on Vista"... guess again.

Mac OS X is looking better every day. Now to screw up enough courage
(aka self-interest) to leave the Dark Side.

[Leythos]

On Mon, 21 May 2007 13:00:54 -0400, Jim Higgins wrote:
>
> Mac OS X is looking better every day. Now to screw up enough courage
> (aka self-interest) to leave the Dark Side.

OS/X has many exploits too - just google for them.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
http://www.pcbutts1.com/downloads/bughunter.htm

[Gaz]

Leythos wrote:
> On Mon, 21 May 2007 13:00:54 -0400, Jim Higgins wrote:
>>
>> Mac OS X is looking better every day. Now to screw up enough courage
>> (aka self-interest) to leave the Dark Side.
>
> OS/X has many exploits too - just google for them.

Quite, and not enough people use it to care.

Gaz