Angels of security » Microsoft

Windows 7 firewall and IPv6

admin — Thu, 11 Mar 2010 19:32:05 +0000

Another random Windows 7 fact I learned today – if you disable the Windows 7 firewall, it will also disable IPV6 and Service Hardening. Microsoft’s logic appears to be simply that if a system doesn’t have the Windows firewall enabled, then it should be treated as an insecure machine and not trusted to connect with an IPV6 IPSec tunnel. The obvious flaw in this logic is that many enterprises use other firewalls, which Windows will not account for. Those people will then have ot enable the Microsoft firewall and just put it into a completely accepting state if they want to use IPV6.

Windows resource editors

admin — Wed, 18 Feb 2009 15:05:28 +0000

I recently borrowed a copy of Hacking Windows XP from a friend. (I was under the impression that it would be about, well, hacking). It’s really all about customizations that you can do to your system, through changes to the system files and registry. One useful thing it did have was a link to a very good resource editor called Resource Hacker. It’s been years since I’ve used a Windows resource editor, and I’m starting to remember how fun (and utterly time consuming) it can be to mess around with the look and feel of your Windows apps and OS. In short, Resource Hacker lets you open up an executable or library file (exe, dll, ocx, scr, or cpl), and see that various resources within it – things like text string and icons – and lets you change them. Say you don’t like an error message, just find that text string and change it. Don’t like the way an app looks? Just change the icons. Don’t like the fact that the start button says start? Change it. (It’s just a text string after all). I know someone will point out that a hex editor can do many of the same things, however a resource editor organizes the data for you making it easier to find that string you want to change (or just browse), and it should (in theory at least) keep you away from the executable code which could break the app. It also let’s you see and edit graphics. If you ever want to find a fun way to kill a lazy Sunday afternoon, I highly recommend it.

MS09-002 reverse engineered

admin — Tue, 17 Feb 2009 20:42:34 +0000

ISC is reporting that they’re seeing exploits of MS09-002 in the wild. MS09-002 is an exploit which allows for remote code execution on IE7. The vulnerability was first reported to MS in October of 2007 by the Zero Day Initiative. Microsoft issued the patch a week ago. Given this, ISC is also claiming that it is likely that the patch was reverse engineered to find the vulnerability, and I would have to agree. I’m sure the anti-disclosure crowd will be using this one as proof positive for their position in the future.

bountys for virus writers

admin — Fri, 13 Feb 2009 19:23:35 +0000

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

French navy surrenders to Conficker The jokes just sort of write themselves….

Format string attacks in Windows and sort.exe

admin — Mon, 26 Jan 2009 15:39:46 +0000

Well that was a long and unexpected blogging break. It started because I wanted to write a long and detailed post about the last BGP exploit when I realized how little most security people knew about BGP. Unfortunately I never had time, a bunch of other things demanded my attention, (like real life), and then once I got out of the habit of blogging, it was too easy to just ignore it. I’m back though, and I’ll try to blog regularly, albeit perhaps at a slower rate if real life persists in being as time consuming as its been lately.

Since this blog is coming back from a long hiatus, I think perhaps it’s appropriate to do so by bringing back an old vulnerability from a long hiatus as well. Format String Vulnerabilities have been around since around 1999. The short explanation is that when a C program doesn’t use format specifiers (you know, all those %s things you learned about way back when), but rather just prints a buffer directly, an attacker could put in format specifiers (like %x and %n). %x will just print the next hex number on the stack, so an attacker can view the stack. %n is more insidious – it is used to count the number of characters printed so far and copy that number into an arbitrary memory array. An attacker can use this to overwrite a given memory location (like, say, a return pointer) and execute arbitrary code.

In August of 2004 it was revealed that Windows’ sort.exe had a format string vulnerability. Like most people, I assumed that since the fix for this is trivial (just use a format specifier instead of printing the buffer directly), Microsoft would have fixed it in the next patch release or service pack. Lo and behold, they haven’t. This is a copy and paste from the command shell of my Windows XP machine.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ver

Microsoft Windows XP [Version 5.1.2600]

C:\>sort %x
7c812f39The system cannot find the file specified.

C:\>sort %x%x
7c812f390The system cannot find the file specified.

C:\>sort %x%x%x
7c812f3900The system cannot find the file specified.

C:\>sort %x%x%x%x
7c812f390078257825The system cannot find the file specified.

C:\>sort %x%x%x%x%x
7c812f39007825782578257825The system cannot find the file specified.

C:\>sort %x%n

(sort.exe crashes as I’ve tried to write data to some random place in memory)

Everyone knows that Microsoft has a reputation for not fixing vulnerabilities unless forced to, but this is bad even by their standards. 4+ years and they haven’t fixed a know format string vulnerability.