Install Vista, Install Big Brother

[Nothinman]

if one exploits a service inside a process that houses other services, then those other services are directly vulnerable, REGARDLESS of OS-level privs.

So what you're trying to say is that if you exploit telnetd which was started as part of some svchost process, all of the other services started by that same svchost process are immediately accessible to your exploit code, right?

 

[VirtualLarry]

Originally posted by: Nothinman

if one exploits a service inside a process that houses other services, then those other services are directly vulnerable, REGARDLESS of OS-level privs.

So what you're trying to say is that if you exploit telnetd which was started as part of some svchost process, all of the other services started by that same svchost process are immediately accessible to your exploit code, right?

As far as I know, that is the case, since they are all in the same process address space.

I am assuming that the person writing the exploit code is familiar with the address-space layout of that particular SVCHOST.EXE process. (What services are normally loaded and at what address, making direct access easy.)

On XP, "tasklist /svc" gives you a list of processes and the services contained inside them.

 

[bsobel]

And for those following the discussion, I posted a (true) statement, and then Bill posted a (true) statement, which does not in any way make my statement false. He seems to be asserting otherwise.

Larry, lets go back to your original claim. You said that having multiple services running in the same address space was a security issue, you said for security they really should EACH be running as a seperate win32 process. You said that by making them into seperate processes that an exploit in one COULD NOT THEN EFFECT THE OTHERS.

I pointed out that if I get exploited code into any service I have access to BOTH the other services running in the same address space AND the address space of all other process running on the box (including other services in OTHER address spaces).

Therefore I said, since all of the services are primarily running as SYSTEM there was NO security benefit to your claim that services should not run in the same container.

I said the correct solution was to group related services together, give them minimum priledges required, and run them in a security context which would NOT allow them to modify other processes (or files etc) on the exploited machine.

This is what needed to be done, and it's what MS did in Vista (what a coinicidece eh?). So either myself, the security community, and the MS folks just don't get it. Or you don't. I think we all know the answer to that one

I've got a math degree, so you're wrong!"

Yes Mr. I've coded x86 before.

 

[bsobel]

So what you're trying to say is that if you exploit telnetd which was started as part of some svchost process, all of the other services started by that same svchost process are immediately accessible to your exploit code, right?

Larry is correct in that statement, the code loaded by svchost can be thought of as dll's loaded into a hosted container. The containers memory addres space (at least for unmanaged code) is shared. So as an example the BITS service (if exploited) is in the same address space as AeLookupSvc, AppInfo and few others on my box. However Larry was wrong when he stated that putting each into it's own address space would increase security because at the time each service would still have access to the other address spaces as well. This situation was slightly improved by XP and greatly improved by Vista. It's the same as when the Unix community realized (albeit a lot earlier) that not every deamon should be running as root

I am assuming that the person writing the exploit code is familiar with the address-space layout of that particular SVCHOST.EXE process. (What services are normally loaded and at what address, making direct access easy.)

On Vista the address space is randomized (We, well in this case actually I have some earlier work on this as well as a patent) which makes it more difficult for certain return to libc style attacks to work.

 

[Seekermeister]

bsobel,

I haven't got a clue as to what you and VirtualLarry are talking about, but I find it amusing regardless. I'm sure that there is a correct answer to the subject, but it would seem that two people, who have above average knowledge of this "science", would be able to agree on this. If this is too deep of a subject for normal understanding, then where is the superiority of your science?

 

[bsobel]

I said the correct solution was to group related services together, give them minimum priledges required, and run them in a security context which would NOT allow them to modify other processes (or files etc) on the exploited machine.

A final comment on the 'group related services' statement. The reason services were designed this way originally (one contanier, many workers) was the process overhead cost if they were all seperate. It IS a tradeoff, the earlier tradeoff was bad (since any service exploit pretty much gave you the box). The tradeoff is much better now that service privledges are much more tightly controlled.

 

[bsobel]

I haven't got a clue

That is the first statement in this thread you've made I can agree with.

I find it amusing regardless

VL is amusing, he shows up, spouts of anti MS stuff for a few weeks and then leaves for awhile. He made him self famous around here warning about the end of the world since XP supported hibernation on desktop machines.

I'm sure that there is a correct answer to the subject, but it would seem that two people, who have above average knowledge of this "science", would be able to agree on this.

Many of us would disagree with the statement that VL has an above average knowledge of this 'science'.

If this is too deep of a subject for normal understanding, then where is the superiority of your science?

Science isn't a popularity contest. It's hard to have an intelligent discussion with someone who argues that the earth was created around 5k BC and no evidence to the contrarty will be considered. That is why I often suggest you stay out of science threads, since your arguments always fall back to 'but my god said so and my god is cooler than yours'.

Bill

 

[Nothinman]

I am assuming that the person writing the exploit code is familiar with the address-space layout of that particular SVCHOST.EXE process. (What services are normally loaded and at what address, making direct access easy.)

That's also assuming that services under svchost are grouped in a predetermined manner which I doubt is true.

I'm sure that there is a correct answer to the subject, but it would seem that two people, who have above average knowledge of this "science", would be able to agree on this.

Most of the time it's a communication problem and not one of knowledge (or both if one person thinks he understands more than he does), once both sides figure out what the other is talking about things will become more clear. =)

If this is too deep of a subject for normal understanding, then where is the superiority of your science?

Frankly I don't think it's too deep for normal understanding, the problem in this thread is a people issue and not a scientific one. And trying to turn every discussion into science vs theology is really annoying.

 

[bsobel]

Originally posted by: Nothinman

I am assuming that the person writing the exploit code is familiar with the address-space layout of that particular SVCHOST.EXE process. (What services are normally loaded and at what address, making direct access easy.)

That's also assuming that services under svchost are grouped in a predetermined manner which I doubt is true.

Actually under default installs they were (it could vary depending on what optional components you installed). So memory addresses did tend to remain constant on 2k, even XP. Heck with 2k MS still thought prebasing helped load time enough to discount the horrible security implications, they finally realized the error of their ways on that one Memory layouts are much different now with Vista even on the same machine between boots.

And trying to turn every discussion into science vs theology is really annoying.

I think that should read 'trying to turn every discussion into science vs theology is going to cause vacations'.

Bill

 

[VirtualLarry]

Originally posted by: bsobel
Larry, lets go back to your original claim. You said that having multiple services running in the same address space was a security issue,

Yes, that's what I said. That exploiting one could lead to easy exploitation/DoS on the others.

Originally posted by: bsobel
you said for security they really should EACH be running as a seperate win32 process.

Yes, I said that would be the fix for the issue I was discussing.

Originally posted by: bsobel
You said that by making them into seperate processes that an exploit in one COULD NOT THEN EFFECT THE OTHERS.

No I didn't, Bill. I said that it would prevent an exploit for one service from directly accessing and exploiting another.

Originally posted by: bsobel
I pointed out that if I get exploited code into any service I have access to BOTH the other services running in the same address space AND the address space of all other process running on the box (including other services in OTHER address spaces).

No, only if the service that you exploit had "higher privs", allowing a priviledge escalation vulnerability. Fix that, using your (correct) suggestion, and guess what? The security issue that I am describing still exists!

Originally posted by: bsobel
Therefore I said, since all of the services are primarily running as SYSTEM there was NO security benefit to your claim that services should not run in the same container.

You (essentially) said that because there were so many holes in windows, fixing my claimed hole wouldn't matter. Which was incorrect, it's still a hole.

Originally posted by: bsobel
I said the correct solution was to group related services together, give them minimum priledges required, and run them in a security context which would NOT allow them to modify other processes (or files etc) on the exploited machine.

This is what needed to be done, and it's what MS did in Vista (what a coinicidece eh?). So either myself, the security community, and the MS folks just don't get it. Or you don't. I think we all know the answer to that one

The problem is that we've been discussing two *different* exploit scenarios. Your "fix" doesn't fix my exploit scenario, and my "fix" doesn't fix your exploit scenario. Both are holes, and BOTH need to be fixed.

Even after fixing the "priviledge escalation exploit due to a compromised service with higher privs" issue, my issue STILL REMAINS. The correct solution to my scenario is to REDUCE THE ATTACK SURFACE, by segregating services into their own process address spaces. That way, compromising one doesn't lead to compromising them all.

That's all I've been trying to point out, and something that you steadfastly refuse to understand.

 

[VirtualLarry]

Originally posted by: bsobel
A final comment on the 'group related services' statement. The reason services were designed this way originally (one contanier, many workers) was the process overhead cost if they were all seperate. It IS a tradeoff, the earlier tradeoff was bad (since any service exploit pretty much gave you the box). The tradeoff is much better now that service privledges are much more tightly controlled.

True, the tradeoff is similar to what happened in terms of moving things into kernel space in NT4.0, to increase speed at the expense of stability and security. Interestingly enough, they are moving in the opposite direction with Vista, moving as much non-essential stuff out of kernel mode as possible. (IE. segregation is good for security, which is at the core of my suggested fix.)

 

[bsobel]

No I didn't, Bill. I said that it would prevent an exploit for one service from directly accessing and exploiting another.

Fixing the 'issue' as you described it would not stop one service from accessing another. I'll I can figure at this point is your hung up on the fact that one mode allows me to use a local pointer and the other requires me to map part of the other address space before I use a local pointer.

No, only if the service that you exploit had "higher privs", allowing a priviledge escalation vulnerability.

Seriously, do you even know what a privledge esclation attack is, because what you just described isn't one.

You (essentially) said that because there were so many holes in windows, fixing my claimed hole wouldn't matter. Which was incorrect, it's still a hole.

No what I said was fixing that while services still had the rights required to affect others results in a change that made zero difference. What you should be arguing is it makes sense now in the Vista model (then it just gets into a process vs thread overhead discussion and where to draw that line). Your thoughts on how to fix this on 2k/xp are still wrong. But as I said before, maybe myself, the security community, and the guys who implemented this on Vista all got it wrong.

The problem is that we've been discussing two *different* exploit scenarios. Your "fix" doesn't fix my exploit scenario, and my "fix" doesn't fix your exploit scenario. Both are holes, and BOTH need to be fixed.

Sigh. Your fix (presuming it should be done) couldn't be done until mine was. Period. Mine is now implemented.

That's all I've been trying to point out, and something that you steadfastly refuse to understand.

Oh, I think we all know who doesn't understand.

 

[kamper]

Just out of curiosity, what was the logic behind allowing separate processes to access each other's address spaces? Is it for the purposes of ipc, like some sort of poor man's shared memory? This is the first I've ever heard of it and it's kinda shocking

 

[Nothinman]

Just out of curiosity, what was the logic behind allowing separate processes to access each other's address spaces? Is it for the purposes of ipc, like some sort of poor man's shared memory? This is the first I've ever heard of it and it's kinda shocking

It's pretty much required for debugging.

 

[drag]

Twit radio podcasting (professional podcasts) had a interview with Peter Gutmann who is the author of 'A Cost Analysis of Windows Vista Content Protection' this last thursday on their 'Security Now' series.
http://www.twit.tv/sn74


I am listenning to it right now. The discussion is centering around the fact that PCs were very successfull (as compared to Apple's computers) is because they've always been open. People have always had the ability to make PC hardware and PC software freely. However with the DRM and Microsoft/Intel/etc's content protections they are changing this to a closed system were you have to pay huge licensing fees and take lots of restrictions in order to make compatable hardware/software.

 

[WiseOldDude]

I have no problem with artists, studios making a buck, and their right to protect their product.

However when they become so overzealous that legitimate owners of their product are constantly hassled, inconvenienced, and have to continually prove that they are legitimate owners, they they can go pound sand. To assume that every copy is a pirated copy until the owner proves that it isn't is like throwing out the concept of "innocent until proven guilty" out with the trash.

This draconian mind set is not going to stop pirates, it is only going to piss off legitimate owners and I hope if blows up in their faces as the buying public say "hell no I ain't buying any more of their output if I an hassled every third time I want to watch it". And what is going to happen in 8 - 10 years? Will you just have to throw out your collection you have invested in simply because it has been pirated and your player/PC has been disabled or downgraded.

I will not upgrade to Vista, or to a HD or Blue Ray DVD player until this is sorted out.

 

[drag]

I have no problem with artists, studios making a buck, and their right to protect their product.

Well to honest the people that actually make the 'content' (irritating word) have to surrender their copyrights to teh big studios in order to get paid. Most of them accept this trade off.

but not all of them

We also have situations were studios, especially music, sit on artists and get people into contracts were they don't make any money from what they do.

For example it's common practice to get new bands to sign deals in which they are required to make a certain amount of albums for the studio.. But the studio people don't want them to make the ablum, the studio people feel that they can't make money off of them so they don't bother producing anything. The reason they signed them to the label in the first place is simply to prevent other studios from signing them. No joke.

So from a moral standpoint it's not like the RIAA folks or the other folks are being fair to anybody. They don't actually make music, they don't actually make movies. They purchase the rights to distribute the music and movies and such and often they are very very dishonest about what they do. They have the system rigged both ways so that they effectively rip of the artists and then turn around and try to rip off the consumers.

These aren't any more honest or honorable then the pirates they are trying to fight against.

That is the real reason for this DRM and rights and licensing and such. It's not to protect themselves from piracy (which is a pointless excersize for the most part. With digital media only one copy needs to be compromised then the pirates can have as many copies as they want).

But the true purpose is to control the distribution channels.

These guys and their corporations were brought into existance for a very good reason.. And that reason was because from the 1930's to the 1990's the cost of producing, promoting AND distributing copies of media was so expensive that no single person or group of artists could do it.

The airwaves are tightly controlled by the FCC, which only let very select group of citizens (which have enough money to buy their way into it) be able to distribute radio and television signals.

The costs of doing cable TV and distributing content that way was considurable. Just imagine how much work and money it takes to setup sattalite communications and television stations with those huge cameras and all sorts of very complex electronics.. not to mention paying the government enough money to let you use the radio waves and setting up a transmitter. All of that you had to do in the previous decades.

The costs of setting up a music, television, or movie studio was also enourmous.

The costs of advertising it, and then dealing with manufacturing proccess to produce the content and then transport it and setup store fronts and all that was huge.

So they provided a very important role of standardizing how the media works and making it possible for people to hear and sell visual and audio based media.

So to do this you ended up with very big businesses which had to deal with a lot of money just to do basic stuff. Big corporations and everything.....


But nowadays how much does it cost to setup a podcast?

You get a few people together, spend maybe 15-30 thousand dollars on decking out somebody's basement with some foam and such to get good aucoustic environment and setup a few computers and some good quality digital recording equipment and your set. Now you have as good as a studio as about as good as anybody had access to for the past 60 years.

And the cost of distributing the content is the cost of internet access. You have the ability to distribute that stuff to a 1000 times as many people as CBS or ABC ever had access to in the 70's.

When the artists don't need the studios to produce music and consumers don't need studios to access music then what does anybody need studios for? Essentially your seeing with this DRM crap a multi billion dollar industry seeking to find a way to justify it's own existance.

Within the next decade you'll see the costs for producing video dropping down to middle class affordability also.

People are beginning to figure out how do deal with that also.
For example check out "Channel 102"...
They have some funny stuff going on.
http://www.channel102.net/show.php?show=2

You send them a MinDV tape, they put it in front of a audiance with a bunch of other people's videos and then that is how they figure out if they are going to help fund you to produce shows.

The main barrier right now is the cost of bandwidth.

All sorts of stuff.
Real internet TV

I will not upgrade to Vista, or to a HD or Blue Ray DVD player until this is sorted out.

I'll upgrade to HD-DVD or Blueray when they sort each other out and the cost of getting a burner drops down to under 150 bucks or so.

 

[WiseOldDude]

A Cost Analysis of Windows Vista Content Protection

Executive Summary
-----------------
Windows Vista includes an extensive reworking of core OS elements in order to
provide content protection for so-called "premium content", typically HD data
from Blu-Ray and HD-DVD sources. Providing this protection incurs
considerable costs in terms of system performance, system stability, technical
support overhead, and hardware and software cost. These issues affect not
only users of Vista but the entire PC industry, since the effects of the
protection measures extend to cover all hardware and software that will ever
come into contact with Vista, even if it's not used directly with Vista (for
example hardware in a Macintosh computer or on a Linux server). This document
analyses the cost involved in Vista's content protection, and the collateral
damage that this incurs throughout the computer industry.

Executive Executive Summary
---------------------------
The Vista Content Protection specification could very well constitute the
longest suicide note in history

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

Since 95% of hardware sold will run Windows, vendors will produce only hardware that AACS will be able to control. Even if this does not penetrate into Linux code, and remains benign when running something besides Vista(assuming that drivers can be written for the hardware), you will at minimum be paying 50% - 100% more for your next video card because of AACS. Just bought the latest and greatest video or sound card? You might have to scrap it!

Read this document or listen to the podcast mentioned by drag a few messages above.