What we're both saying is:
1. it's a bug and should be fixed in accordance with its impact on real (not imagined) functionality & security
2. unless this provides some exploit that doesn't start with "if I can install software on the host", it's not more than "a bug in a security mechanism"
If someone can demonstrate an actual vulnerability or exploit on the basis of this bug _alone_, then they may have something to make noise about. There are enough real bugs and security vulns in software to deal with. Not every security issue spells doom and damnation or warrants immediate corrective response from the vendor.
Jim
-----Original Message-----
From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
Abe Getchell
me (at) abegetchell (dot) com [email concealed]
https://abegetchell.com/
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me (at) abegetchell (dot) com [email concealed]; Jim Harrison; bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
> the
> one million and fourth time: "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter. Period."
>
> t
>
>
>
> > -----Original Message-----
> > From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
> > Sent: Saturday, July 19, 2008 12:33 AM
> > To: 'Jim Harrison'; bugtraq (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > As stated in my original e-mail to the list, I definitely don't think
> > that
> > this is a security vulnerability in a traditional sense. I completely
> > agree
> > with you. Think about it this way... When you press the power button
> on
> > the
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > could
> > write a program which e-mails him the contents of her "My Documents"
> > folder
> > that is triggered by a hook into that process. All Jim needs to do is
> > get
> > Nancy to run that program on her system (not hard) and walk by her
> > office
> > when she's not there and hit the power button (also not hard). So
> what
> > can
> > _I_ do with this bug? Not much, I'm not that great of a programmer...
> > but I
> > think someone out there could do some nasty stuff.
> >
> > --
> > Abe Getchell
> > me (at) abegetchell (dot) com [email concealed]
> > https://abegetchell.com/
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim (at) isatools (dot) org [email concealed]]
> > > Sent: Saturday, July 19, 2008 1:36 AM
> > > To: 'me (at) abegetchell (dot) com [email concealed]'; bugtraq (at) securityfocus (dot) com [email concealed]
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > Abe,
> > >
> > > Other than a denial-of-service from the console (is the power
> switch
> > > now a security vuln, too?), what can you do with this bug? It's
> > > absolutely, unquestionably a "bug"; the user should see behavior as
> > > dictated by logic and described in the documentation, but a
> "security
> > > vulnerability"?
> > >
> > > I think that's stretching things juuuuuust a bit.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
> > > Sent: Thursday, July 17, 2008 7:39 PM
> > > To: bugtraq (at) securityfocus (dot) com [email concealed]
> > > Subject: Windows Vista Power Management & Local Security Policy
> > >
> > > When the security option "Shutdown: Allow system to be shutdown
> > without
> > > having to log on" (in the local security policy) is set to
> "Disable",
> > > and
> > > the power management setting "When I press the power button" is set
> > to
> > > "Shut
> > > Down", it is possible for an unauthenticated user to press the
> power
> > > button
> > > at the Windows logon screen and gracefully shutdown the system. The
> > > explanation of this security option, taken from the local security
> > > policy,
> > > is as follows:
> > >
> > > "Shutdown: Allow system to be shut down without having to log on
> > >
> > > This security setting determines whether a computer can be shut
> down
> > > without
> > > having to log on to Windows.
> > >
> > > When this policy is enabled, the Shut Down command is available on
> > the
> > > Windows logon screen.
> > >
> > > When this policy is disabled, the option to shut down the computer
> > does
> > > not
> > > appear on the Windows logon screen. In this case, *users must be
> able
> > > to log
> > > on to the computer successfully and have the Shut down the system
> > user
> > > right
> > > before they can perform a system shutdown*.
> > >
> > > Default on workstations: Enabled.
> > > Default on servers: Disabled."
> > >
> > > Note the text between the asterisks. While this bug isn't
> necessarily
> > a
> > > software flaw allowing for an intrusion into the system in a
> > > traditional
> > > sense, it does set a bad precedence in that power management has a
> > free
> > > pass
> > > to bypass local security policy and perform actions expressly
> against
> > > the
> > > defined policy. It appears that the only impact the use of this
> > > security
> > > option actually has is enabling or disabling the display of the
> > "power
> > > button" on the Windows logon screen (locally only - this setting
> has
> > no
> > > affect on remote desktop connections - the "power button" is not
> > > displayed
> > > in either case), not actually preventing anyone from (gracefully)
> > > shutting
> > > down the system without logging in.
> > >
> > > I reported this to the MSRC on 6/25/2008 and their stance was that
> > this
> > > wasn't a security vulnerability, but was likely a bug, and was
> passed
> > > directly to the product team to investigate through their normal
> bug
> > > triage
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me (at) abegetchell (dot) com [email concealed]
> > > https://abegetchell.com/
> > >
> > >
> >
What we're both saying is:
1. it's a bug and should be fixed in accordance with its impact on real (not imagined) functionality & security
2. unless this provides some exploit that doesn't start with "if I can install software on the host", it's not more than "a bug in a security mechanism"
If someone can demonstrate an actual vulnerability or exploit on the basis of this bug _alone_, then they may have something to make noise about. There are enough real bugs and security vulns in software to deal with. Not every security issue spells doom and damnation or warrants immediate corrective response from the vendor.
Jim
-----Original Message-----
From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
Sent: Sunday, July 20, 2008 12:32 PM
To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: RE: Windows Vista Power Management & Local Security Policy
So, you guys don't think it's an issue that power management in Vista
(apparently) has a pass to bypass local security policy?
--
Abe Getchell
me (at) abegetchell (dot) com [email concealed]
https://abegetchell.com/
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor (at) hammerofgod (dot) com [email concealed]]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me (at) abegetchell (dot) com [email concealed]; Jim Harrison; bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
> the
> one million and fourth time: "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter. Period."
>
> t
>
>
>
> > -----Original Message-----
> > From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
> > Sent: Saturday, July 19, 2008 12:33 AM
> > To: 'Jim Harrison'; bugtraq (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > As stated in my original e-mail to the list, I definitely don't think
> > that
> > this is a security vulnerability in a traditional sense. I completely
> > agree
> > with you. Think about it this way... When you press the power button
> on
> > the
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > could
> > write a program which e-mails him the contents of her "My Documents"
> > folder
> > that is triggered by a hook into that process. All Jim needs to do is
> > get
> > Nancy to run that program on her system (not hard) and walk by her
> > office
> > when she's not there and hit the power button (also not hard). So
> what
> > can
> > _I_ do with this bug? Not much, I'm not that great of a programmer...
> > but I
> > think someone out there could do some nasty stuff.
> >
> > --
> > Abe Getchell
> > me (at) abegetchell (dot) com [email concealed]
> > https://abegetchell.com/
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim (at) isatools (dot) org [email concealed]]
> > > Sent: Saturday, July 19, 2008 1:36 AM
> > > To: 'me (at) abegetchell (dot) com [email concealed]'; bugtraq (at) securityfocus (dot) com [email concealed]
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > Abe,
> > >
> > > Other than a denial-of-service from the console (is the power
> switch
> > > now a security vuln, too?), what can you do with this bug? It's
> > > absolutely, unquestionably a "bug"; the user should see behavior as
> > > dictated by logic and described in the documentation, but a
> "security
> > > vulnerability"?
> > >
> > > I think that's stretching things juuuuuust a bit.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me (at) abegetchell (dot) com [email concealed]]
> > > Sent: Thursday, July 17, 2008 7:39 PM
> > > To: bugtraq (at) securityfocus (dot) com [email concealed]
> > > Subject: Windows Vista Power Management & Local Security Policy
> > >
> > > When the security option "Shutdown: Allow system to be shutdown
> > without
> > > having to log on" (in the local security policy) is set to
> "Disable",
> > > and
> > > the power management setting "When I press the power button" is set
> > to
> > > "Shut
> > > Down", it is possible for an unauthenticated user to press the
> power
> > > button
> > > at the Windows logon screen and gracefully shutdown the system. The
> > > explanation of this security option, taken from the local security
> > > policy,
> > > is as follows:
> > >
> > > "Shutdown: Allow system to be shut down without having to log on
> > >
> > > This security setting determines whether a computer can be shut
> down
> > > without
> > > having to log on to Windows.
> > >
> > > When this policy is enabled, the Shut Down command is available on
> > the
> > > Windows logon screen.
> > >
> > > When this policy is disabled, the option to shut down the computer
> > does
> > > not
> > > appear on the Windows logon screen. In this case, *users must be
> able
> > > to log
> > > on to the computer successfully and have the Shut down the system
> > user
> > > right
> > > before they can perform a system shutdown*.
> > >
> > > Default on workstations: Enabled.
> > > Default on servers: Disabled."
> > >
> > > Note the text between the asterisks. While this bug isn't
> necessarily
> > a
> > > software flaw allowing for an intrusion into the system in a
> > > traditional
> > > sense, it does set a bad precedence in that power management has a
> > free
> > > pass
> > > to bypass local security policy and perform actions expressly
> against
> > > the
> > > defined policy. It appears that the only impact the use of this
> > > security
> > > option actually has is enabling or disabling the display of the
> > "power
> > > button" on the Windows logon screen (locally only - this setting
> has
> > no
> > > affect on remote desktop connections - the "power button" is not
> > > displayed
> > > in either case), not actually preventing anyone from (gracefully)
> > > shutting
> > > down the system without logging in.
> > >
> > > I reported this to the MSRC on 6/25/2008 and their stance was that
> > this
> > > wasn't a security vulnerability, but was likely a bug, and was
> passed
> > > directly to the product team to investigate through their normal
> bug
> > > triage
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me (at) abegetchell (dot) com [email concealed]
> > > https://abegetchell.com/
> > >
> > >
> >
[ reply ]