Bugtraq mailing list archives
RE: Windows Vista Power Management & Local Security Policy
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sat, 19 Jul 2008 15:19:46 -0700
If Jim is going to get Nancy to run a program, and that's "not all that hard," then why not just have that program do what you want in the first place rather than worrying about the power switch nonsense? This is the one million and fourth time: "If your 'vulnerability' begins with 'if I can get the user to run code' then whatever comes after the 'then' doesn't matter. Period." t
-----Original Message----- From: Abe Getchell [mailto:me () abegetchell com] Sent: Saturday, July 19, 2008 12:33 AM To: 'Jim Harrison'; bugtraq () securityfocus com Subject: RE: Windows Vista Power Management & Local Security Policy As stated in my original e-mail to the list, I definitely don't think that this is a security vulnerability in a traditional sense. I completely agree with you. Think about it this way... When you press the power button
on
the machine and it performs a graceful shutdown, stuff happens inside of the operating system. That stuff happens at an elevated privilege level.
If
there were some way to hook into the stuff that happens, you (as an unauthenticated user), could do bad things (besides simply shutting down the system) using that hook simply by pressing the power button at the logon screen. For example, if Jim wants to know what Nancy is working on, he could write a program which e-mails him the contents of her "My Documents" folder that is triggered by a hook into that process. All Jim needs to do is get Nancy to run that program on her system (not hard) and walk by her office when she's not there and hit the power button (also not hard). So what can _I_ do with this bug? Not much, I'm not that great of a programmer... but I think someone out there could do some nasty stuff. -- Abe Getchell me () abegetchell com https://abegetchell.com/-----Original Message----- From: Jim Harrison [mailto:Jim () isatools org] Sent: Saturday, July 19, 2008 1:36 AM To: 'me () abegetchell com'; bugtraq () securityfocus com Subject: RE: Windows Vista Power Management & Local Security Policy Abe, Other than a denial-of-service from the console (is the power switch now a security vuln, too?), what can you do with this bug? It's absolutely, unquestionably a "bug"; the user should see behavior as dictated by logic and described in the documentation, but a
"security
vulnerability"? I think that's stretching things juuuuuust a bit. Jim -----Original Message----- From: Abe Getchell [mailto:me () abegetchell com] Sent: Thursday, July 17, 2008 7:39 PM To: bugtraq () securityfocus com Subject: Windows Vista Power Management & Local Security Policy When the security option "Shutdown: Allow system to be shutdownwithouthaving to log on" (in the local security policy) is set to
"Disable",
and the power management setting "When I press the power button" is setto"Shut Down", it is possible for an unauthenticated user to press the power button at the Windows logon screen and gracefully shutdown the system. The explanation of this security option, taken from the local security policy, is as follows: "Shutdown: Allow system to be shut down without having to log on This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available ontheWindows logon screen. When this policy is disabled, the option to shut down the computerdoesnot appear on the Windows logon screen. In this case, *users must be
able
to log on to the computer successfully and have the Shut down the systemuserright before they can perform a system shutdown*. Default on workstations: Enabled. Default on servers: Disabled." Note the text between the asterisks. While this bug isn't
necessarily
asoftware flaw allowing for an intrusion into the system in a traditional sense, it does set a bad precedence in that power management has afreepass to bypass local security policy and perform actions expressly
against
the defined policy. It appears that the only impact the use of this security option actually has is enabling or disabling the display of the"powerbutton" on the Windows logon screen (locally only - this setting hasnoaffect on remote desktop connections - the "power button" is not displayed in either case), not actually preventing anyone from (gracefully) shutting down the system without logging in. I reported this to the MSRC on 6/25/2008 and their stance was thatthiswasn't a security vulnerability, but was likely a bug, and was
passed
directly to the product team to investigate through their normal bug triage process. After some back and forth, there was silence, and I let
them
know I was going to release this information to the community. This was tested on Windows Vista SP1 (32-bit). -- Abe Getchell me () abegetchell com https://abegetchell.com/
Current thread:
- Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 18)
- RE: Windows Vista Power Management & Local Security Policy Jim Harrison (Jul 19)
- RE: Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 19)
- RE: Windows Vista Power Management & Local Security Policy Thor (Hammer of God) (Jul 21)
- RE: Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 21)
- RE: Windows Vista Power Management & Local Security Policy Jim Harrison (Jul 21)
- RE: Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 21)
- RE: Windows Vista Power Management & Local Security Policy James C. Slora Jr. (Jul 22)
- RE: Windows Vista Power Management & Local Security Policy Jim Harrison (Jul 22)
- RE: Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 23)
- RE: Windows Vista Power Management & Local Security Policy Abe Getchell (Jul 19)
- RE: Windows Vista Power Management & Local Security Policy Jim Harrison (Jul 19)
- <Possible follow-ups>
- RE: Windows Vista Power Management & Local Security Policy Good Securitypractice (Jul 23)