Re: Circumventing Critical Security in Windows XP

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2010-02-28 anonym () anonym com wrote:
> administrator level doesnt matter much when we talk about
> antivirus/firewall softwares because nowadays they have a builtin
> protection that will try to prevent they get disabled, no matter what
> is the user access rights over the system. if the software can be
> disabled, then the flaw is in the software itself, and is indeed a
> vulnerability.

They're using rootkit techniques to prevent the administrator from doing
what - by design and definition - he is *supposed* to be able to do.
Since this is not desireable, failing to do so certainly is not a
vulnerability. And no, there is no such thing as a "good" rootkit.

Any administrator who willingly allows this kind of crap withing arm's
length of their systems needs a good beating with a cluestick. Badly.

> ps: on Windows XP users by default have admin rights when created, the
> standard user is member of the administrators group. On Windows Vista
> and later the standard user is admin too but the UAC forces the user
> to have "user level" rights. but demonstration code has been published
> to bypass this protection, then again that kind of modification (the
> modification did by the sc command reflects in the registry in the
> HKEY_LOCAL_MACHINE in which only admins can write data) will be
> possible.

Just shows what a big load of bullshit UAC is. I've been successfully
using LUA for years, and I don't see any reason at all to switch to UAC.

You cannot protect a system from its administrator without demoting him
from being administrator. Period. And if you are going to demote him:
who is going to fix your system when things go wrong?

Regards
Ansgar Wiechers
-- 
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich