After a recent off-list discussion with David Cattley, I thought I’d put
this through to the list.
Recent issues involving nag dialogs posted during a driver install
turned out to be solved by adding certificates to the Trusted Publishers
store.
During testing, I found it’s possible to do this (if you have rights -
by default granted to Administrators, SYSTEM and CryptSvc) by writing to
the registry - since the cert stores are simply stored in registry.
Normally when you install some software you’re given the opportunity to
consider whether you trust the publisher. This happens when you see the
dialog asking you if you trust that publisher.
It seems it’s possible to circumvent this by a simple registry write.
Seems like a trust / security issue to me, since I don’t believe many
people pay much attention to what certs are in their store, and it would
be far too easy for a malware author to release some legit-looking
software (e.g free simple util) which could deposit certs for future
malware to use to bypass warnings. I would have expected the store to
be signed somehow, so that only crypto APIs could add certs, and then
only with warnings to the user that certs were being installed. I view
adding a Root Cert as a non-trivial matter, due to the trust it then
conveys. Much more grave than say copying a file to Program files,
which will earn you 2 UAC warnings on Vista. To be able to do so
without any warning at all (on 2k8 R2 anyway) seems a security issue.
Why even have this dialog if its so easily circumvented?
Since you can add any cert to root (e.g. self-signed), then the amount
of trust conveyed by certs is therefore questionable in this case.
What do others think?
Adrien
–
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
>
After a recent off-list discussion with David Cattley, I thought I’d
put
this through to the list.
Recent issues involving nag dialogs posted during a driver install
turned out to be solved by adding certificates to the Trusted
Publishers
store.
During testing, I found it’s possible to do this (if you have rights -
by default granted to Administrators, SYSTEM and CryptSvc) by writing
to
the registry - since the cert stores are simply stored in registry.
Normally when you install some software you’re given the opportunity
to
consider whether you trust the publisher. This happens when you see
the
dialog asking you if you trust that publisher.
It seems it’s possible to circumvent this by a simple registry write.
…
Since you can add any cert to root (e.g. self-signed), then the amount
of trust conveyed by certs is therefore questionable in this case.
What do others think?
I think that if you let untrusted software write to your system then all
bets are off anyway. And if the software is trusted but still malicious,
then why would it limit itself to a simple registry write and then hope
that you go and install the now-trusted software? Once it has the
required credentials it could futz with your system in far worse ways
than add a registry key. A cleanup tool can easily find and remove the
errant cert, and a CRL could take care of it too with even less effort
(I think). Likewise an antivirus suite could detect and prevent (or at
least double-check with the user) if the registry write should succeed.
Remember - you asked for opinions 
James
On 30/03/2010 1:17 a.m., James Harper wrote:
I think that if you let untrusted software write to your system then all
bets are off anyway.
I think the reason there’s so much malware out there, is because malware
authors have been quite successful in getting people to let software
write to their system.
And if the software is trusted but still malicious,
then why would it limit itself to a simple registry write and then hope
that you go and install the now-trusted software? Once it has the
required credentials it could futz with your system in far worse ways
than add a registry key.
sure, but that would draw attention to itself. There have been systems
in the past that spread by stealth, and then activate at some later stage.
My point was that people don’t much look in their cert stores. They may
also rely on warning dialogs from the OS asking if they wish to trust a
publisher.
A cleanup tool can easily find and remove the
errant cert,
sure. once it knows about it.
and a CRL could take care of it too with even less effort
(I think).
I don’t know if a CRL entry is a mandatory attribute for a cert, or it
would point to the malware authors OCSP server anyway.
Likewise an antivirus suite could detect and prevent (or at
least double-check with the user) if the registry write should succeed.
Right, that could be more useful - warn the user that some piece of
software is trying to install a trusted root cert.
Remember - you asked for opinions
sure
Thanks
Adrien
James
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com