On Fri, 19 Apr 2002, Gregory G. Dyess wrote:
The issue is that using this approach, you can compromise OTHER systems to
which you have no access otherwise. By capturing a higher-level access
credentials, you have escaped the bounds of your playpen.
Compromising a system as a superuser and using that compromised system to
steal credentials is AFAIK always going to be possible. From C1 though to
A1, there exists (through necessity) a class of user who can install code
that can compromise the system.
Once such code is installed, the system loses its evaluated status. To
minimize this risk, be careful to only give trusted people the privileges
required to perform such actions.
At the very least, this completely violates C-2 Security in a number of
areas, not the least of which is traceability.
I’m looking at the C2 criteria, and I don’t see how this causes a problem.
Once this code is inserted, the system loses its evaluated status; the
only concern is what goes on before inserting the code.
Using your load driver or debug privilege is an auditable operation.
Modifying the registry to install a new GINA is an auditable operation.
Attempting to talk to the LSA is an auditable operation. Logging on as a
superuser is an auditable operation. Running programs is an auditable
operation. Compromising the machine in this way can be audited (though
superusers can, of course, clear the security log – though this too is
audited). And that’s all C2 says will happen.
I don’t see that allowing superusers to do this kind of thing violates C2.
It does permit them to turn a C2 system into a non-C2 system, but this is
merely one way of many of achieving such an end.
Or does MS even give a shit about C-2 security any more??
I believe the C2 has been superceded, so probably not.
Greg
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Peter Viscarola
Sent: Friday, April 19, 2002 11:23 AM
To: NT Developers Interest List
Subject: [ntdev] Re: I want to retrieve Username ,Password ,Domain tex t
from GINA system.“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > >
> > This is right for local computer. Think about network. You can be local
> > administrator with no or restricted access to network resources. If
> somebody
> > with more network privileges logs to your computer locally (luser asks
> admin
> > to fix a problem) and you’re able to capture his plaintext password, you
> can
> > log to network later as he. You can also log-on to local computers where
> you
> > had no access before and made an evil work as he there.
> >
>
> (I realize we’re wandering off topic here, sorry)
>
> You’re an admin on the local system. You load a driver. You log off.
> Somebody with big-shot high-level network creds logs into the system, and
> does something. Your driver contrives to run in the context of his process.
> The driver capture his security context, and stores it. Later, that driver
> can restore and impersonate that security context at will.
>
> I’m not saying it’s a trivial exploit, or that this is a good idea. But,
> seriously, unless I misunderstand some intricate detail of how security
> contexts work: Once you ARE the operating system… well, you’re the
> operating system. It’s really rather pointless trying to protect the
> operating system from itself. You’re part of the Trusted Computing Base by
> definiton…
>
> Peter
> OSR
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@pdq.net
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
> To unsubscribe send a blank email to %%email.unsub%%
>
–
Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/
logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.