RE: Local persistent DoS in Windows XP SP2 Taskmgr

["Thor (Hammer of God)" <thor () hammerofgod com>]

A couple of questions...

One, there is no "TaskManager" key under HKCU\Software\Microsoft\Windows
NT\CurrentVersion in either XP or Vista.  And making one, and then
adding a null-value "Preferences" REG_BINARY value didn't affect
taskmanager at all...  Is this specific to the German version of XP or
something?

And you have to be an administrator to write to the
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport value you
reference in the "exploit" code...

So, are you saying that if you get the administrator of a box to run
your arbitrary code "virus," that you could then write a registry value
that makes TaskManager crash, and thus, (since TaskManager won't run)
you've "hidden" your process from the user?  Why not just load a kernel
mode rootkit that hides itself?  Or why not do a million other things
since you've gotten them to first run code as admin?  I mean, it's
really kind of silly to make TaskManager crash and tip your hand like
that, don't you think? 

You see, (and this must be 1 million and 12 times said here) if you get
someone to run arbitrary code as administration, then, well, it doesn't
matter at all what comes after "then." Then, ANYTHING.  If the admin
runs arbitrary code, nothing matters at all, period. 

If that's the response you got from MSFT that makes you think they are
"totally ignorant," then I guess you can count me among them.

t



> -----Original Message-----
> From: SkyOut [mailto:skyout () gmx net]
> Sent: Friday, March 14, 2008 12:48 PM
> To: bugtraq () securityfocus com
> Subject: Local persistent DoS in Windows XP SP2 Taskmgr
>
> Dear list,
>
> after weeks of total ignorance by Microsoft I decided to finally
> release all information
> related to a bug, that has to do with the Windows XP SP2 Taskmanager.
> Manipulating
> a Registry key makes it possible to disable the Taskmgr. On the next
> startup it will crash with
> an error message. It is possible to backup the key and repair the
> Registry doing so, but
> the attack scenario is clear: A virus uses this code, the user can't
> open the Taskmgr anymore
> and your process is somehow "hidden".
>
> The full information about this bug, can be found here:
> http://core-security.net/archive/2008/march/index.php#14032008
>
> And the exploit is available here:
> http://core-security.net/releases/exploits/taskmgr_dos.c.txt
>
> Greets,
> SkyOut
>
> ---
> core-security.net
> ---