(as apllied to Full Trust Asp.Net vulnerabilities) Re: [Full-disclosure] Compromising pictures of Microsoft Internet Explorer!

[Dinis Cruz <dinis () ddplus net>]

I also had similar experiences with dealing with MSRC (Microsoft 
Security Response Center) where they were quite pedantic and wanted me 
to send them very detailed information about the issues that I was 
talking about

Eventually I realized that it was not that they were not understanding 
what I was saying, it was that they wanted to know how much I (me, 
Dinis) understood about the issue and how to exploit the vulnerabilities.

And in my case it was worse, because we were arguing about the 
'definition of a vulnerability' where I was telling them that a 
malicious Full Trust Asp.Net script could take over an entire server 
(even following Microsoft's recommended security best-practices) and 
they where saying that THAT is not a vulnerability since what I was 
exploiting was 'built-in' functionality in the .Net framework to attack 
the server.

Their answer to all issues I mentioned (for example: all 
usernames/passwords stored in the metabase can be decrypted by any 
member belonging to the IIS_WPG, the reuse/hijack of the Security Tokens 
that exist in a  IIS Process, the upload and execution of 
binaries/exploits to the server, the fact that most published 
security-advisories also apply to Full Trust Asp.Net/IIS environments, 
the asp.net temporary folders, the default access to WMI, the fact the 
IIS 6.0 doesn't scale very well when multiple Applications pools are 
used,  etc...) is: "that occurs by design in Full Trust Asp.Net"

Eventually I gave up, and since most of the people who should care (for 
example ISPs, software developers, end-clients) don't care (or are not 
aware), I decided that the best use of my time and effort would be to 
write tools that help responsible and security-conscious administrators 
to identify vulnerabilities in their hosting environments. This is what 
I did at Owasp (Open Web Application Security Project) where you will 
find several tools that I wrote: ANSA (Asp.Net Security Analyzer), 
SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) 
, Asp.Net Reflector, Online Metabase Explorer, etc... (The main Owasp 
website is at www.owasp.org and the dotnet section is at www.owasp.net.)

Note that I have been warning Microsoft about these issues for more that 
18months now, and finally it seems to exist some interest in 
acknowledging them (I had a meeting last week in Redmond where we 
discussed this) and at least now (July 2005) they seem to want to do 
something about it (the first step will be to acknowledge the problem).

Although I believe that some care must be placed in the disclosure of 
0-day style vulnerabilities that can be maliciously exploited by worms 
and virus, I don't believe that we should subscribe to the COTS 
'responsible vulnerability disclosure' ideas since they are designed to 
minimize the impact of the vulnerabilities in their stock price, instead 
of increasing the security of their products and clients.

In fact, I have to say that Microsoft for all its sins, it is not the 
worse one in this aspect. At least Microsoft will do the right thing 
when shown a vulnerability which can be maliciously exploited in a 
massive scale. I have had several past experiences where I was working 
for Client X, testing Product Y, and after delivering my report 
(containing several critical vulnerabilities on Product Y) only Client X 
received a patch (because the other clients that used this product were 
not aware of these vulnerabilities, they never complained, where never 
told about this issues and only received the patch in the next 'service 
pack').

And as the low-hanging fruit vulnerabilities dry up, and more time is 
required to find existing vulnerabilities, it is very important that we 
have clear, honest and object discussions about vulnerability disclosure.

But, since this discussion is not possible today (there is too much 
'emotion in the air' :) ), and Full (or almost Full) disclosure of 
vulnerabilities is not always possible (for example when vulnerabilities 
are discovered under NDAs) I think that the best solution is for 
companies to be forced (maybe by government legislation or by client 
pressure)  to disclose how many vulnerabilities in their 
products/websites their are aware of (either found internally  
communicated to them by a client or security research company). This 
could be a bit like what eEye does these days when they say that a 
vulnerability has been discovered, when it was discovered/communicated 
to the vendor, talk about the it impact, but don't publish technical 
details about it until a patch is released.

Dinis Cruz
.Net Security Consultant
Owasp .Net Project Leader


Bernhard Mueller wrote:

> > Mr. Zalewski's statement about the undue burden that Microsoft's
> > investigative processes place on the researcher is indeed accurate.  The
> > only time I've had any success working with Microsoft was when the issue
> > was a straightforward code execution scenario.  Oh wait... even then,
> > I'm blown off.
> >    
>
> the same here... when I mailed them about that COM-vulnerability in IE,
> they came up with "this is not exploitable, bla.." after two weeks of
> internal research
> and all. having a bad morning anyway, I decided to post the advisory and
> see, one day later there's a MS security advisory that "a COM object may
> crash internet explorer" (however, they forgot to mention the public
> bindshell exploit released by the fsirt).
> now recently MS05-37 came out, which somehow doesn't include any credits
>  or mention of the original advisory whatsoever (the reason for that
> being, i presume, the lack of responsibility showed by us).
> I think it's rather strange to hear a billion-dollar software monopolist
> apply to my conscience like "look what you've done, you put our
> customers at risk". they wouldn't give a lame cent on the security of
> their customers if there wasn't a certain media hype about security.
> they care for their image and stock index, and that's about it. and i
> don't see why should be held responsible for that ;)
>
>
> regards,
>
> sk0L
>  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/