> Windows Vista was aimed to bring UIPI, adding a
"privelege level" to
the
process structure and changing the messaging system in a way
so that
windows with "lower" priveleges are not allowed
to send messages to
windows with "higher" priveleges, however, as
far as I can see, one can
only make use of this feature for processes started with a
filtered
token or software explicitly using SetNamedSecurityInfoW
calls, so
threats may remain for services with GUI components and
high-priveleged
applications started via runas or EPAL.
You're correct, but that statement is misleading since--in
fact--everything launched from an administrator account WILL
be run with
a restricted token by default. Only applications with known
compatibility problems, installers, or those explicitly
requesting
administrative privileges (either in a manifest or by the
user doing
right-click "Run As Administrator") will run
unrestricted. So this is
actually quite an effective solution. So this attack is not
very useful
anymore. The only case where I found a Stter attack to be
useful on
Vista is in a loq/medium integrity application with UI
Access. In
earlier builds, UXSS.EXE was the only such process. On my
beta 2
machine, this process doesn't seem to exist anymore, so I
don't think
there are any attack vectors for Shatter anymore.
-----Original Message-----
From: Denis Jedig [mailto:seclists syneticon.de]
Sent: Saturday, August 05, 2006 3:34 PM
To: focus-mssecurityfocus.com
Subject: Re: Account Control: Running Windows Vista with
Least Privilege
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> *This session talks about the technology behind this
change to
> Windows, including the isolation of Admin from Standard
User code on
> the same desktop,
I would like to add that running higher priveleged
applications on the
same desktop as lower priveledged ones is accompanied by a
security-relevant design flaw in Windows' unauthenticated
window message
system allowing shatter attacks on windows of
higher-priveledged
processes. I'd reference to the excellent work of Chris
Paget
for further details.
Windows Vista was aimed to bring UIPI, adding a
"privelege level" to the
process structure and changing the messaging system in a way
so that
windows with "lower" priveleges are not allowed
to send messages to
windows with "higher" priveleges, however, as
far as I can see, one can
only make use of this feature for processes started with a
filtered
token or software explicitly using SetNamedSecurityInfoW
calls, so
threats may remain for services with GUI components and
high-priveleged
applications started via runas or EPAL.
| All applications run by a limited user have the same UI
privilege
| level. As a limited user, applications are run at a single
privilege
| level. UIPI does not interfere or change the behavior of
window
| messaging between applications at the same privilege
level. UIPI
| comes into effect for a user who is a member of the
administrators
| group and may be running applications with least privilege
(sometimes
| referred to as a process with a filtered token) and also
processes
| running with full administrative privileges on the same
desktop. UIPI
| prevents lower privilege processes from accessing higher
privilege
| processes by blocking the following behavior.
http://msdn.microsoft.com/library/defaul
t.asp?url=/library/en-us/dnlong/
html/AccProtVista.asp
Denis
------------------------------------------------------------
------------
---
------------------------------------------------------------
------------
---
------------------------------------------------------------
---------------
------------------------------------------------------------
---------------
|