[OFF-TOPIC] More on Microsoft Win32 Shatter attacks

[Benjamin Scott]

  Since the original message generated such a discussion on GNHLUG, I think
the following new information should be posted here.  I am mainly concerned
about propagation of untrue FUD by the Linux community against MS-Windows.

  If you do not care about MS-Windows, stop reading now.

  I encourage people NOT to discuss the details of this exposure on this
list.  Such details are of interest only to MS-Windows uses, programmers,
and administrators, and as such, such discussion really belongs elsewhere.

  Should you wish to comment on this message, please reply to me directly.  
If anything relevant to this community comes up, I will forward it to the
list.

  For background information, please reference
<http://security.tombom.co.uk/shatter.html>, which claims to introduce a
"new class of vulnerabilities" on the Win32 platform, which the author dubs
a "Shatter attack".

  People have pointed out this is "old news".  That does not make it less of
a threat, especially if this recent publication draws new attention to it.

  People have pointed out that the Win32 API does provide countermeasures
against this attack.  Namely, processes can run in a different "WinStation",
and Win32 API messages cannot cross WinStation boundaries.  I take this to
mean that TS/Citrix, at least, should be less vulnerable to this than
originally claimed.

  However, it is still possible to run a process with superior privileges in
a TS/Citrix WinStation, so the threat may still exist -- it depends on the
common usage of TS/Citrix.  I don't know if it is common to have a
privileged process running in a nominally unprivileged TS/Citrix WinStation.

  People have raised the objection that only "poorly designed" programs
would be vulnerable to this.  More specifically, in order for this to be a
true threat, one would have to have a process with superior privileges
running in a nominally unprivileged WinStation.  However, others have
pointed out that there are a great many "poorly designed" programs out
there, including Windows system components (the DDE server was given as an
example).

  People have raised the objection that unprivileged processes cannot debug
privileged processes.  The original whitepaper states explicitly that the
debugger simply makes things easier; it is not required.

  People have asserted that "if you can get code onto a system, you can do
anything you want".  I object strongly to that -- that would mean any system
is insecure by definition, which is both undesired and untrue.  It should be
possible to secure a desktop workstation against privilege elevation from
software attacks (physical attacks are another problem).  This exposure
makes that impossible.

  People have compared this to TCP ports, saying that any other application
can connect to a TCP port.  However, that comparison is not valid -- simply
connecting to a TCP port cannot cause arbitrary code to be invoked.  This
can.

  A better analogy would be the "gets()" C library function introduced with
Unix.  It is a system function that is insecure by design, and also very
commonly used.  For a long time, Unix was plagued by security failures due
to the use of gets().  Things have finally reached a point where gets() is
generally known to be insecure, but it took years to get there.

  In conclusion: While this exposure may be less of a threat to TS/Citrix
systems than claimed in the whitepaper, it still appears to be a serious
threat.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |