Posted on 08/18/2004 5:54:56 AM PDT by Salo
Flaws in SP2 security features
Author: Jürgen Schmidt, heise Security Date: August 13,2004 German Advisory: http://www.heise.de/security/artikel/50046 English Version: http://www.heise.de/security/artikel/50051 Overview
With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet.
There are two flaws in the implementation of this feature: a cmd issue and the caching of ZoneIDs in Windows Explorer. The Windows command shell cmd ignores zone information and starts executables without warnings. Virus authors could use this to spread viruses despite the new security features of SP2.
Windows Explorer does not update zone information properly when files are overwritten. So it can be tricked to execute files from the internet without warning. Background
Internet Explorer and Outlook Express mark files that are downloaded from the internet or saved from an e-mail with a Zone Identifier (ZoneID), which reflects the security zone from which it originates. The ZoneIDs correspond to the Internet Explorer security zones. This information is saved in an Additional Data Stream (ADS) of the file. ADS are a feature of the NTFS filesystem. ADS with ZoneIDs are named Zone.Identifier and can be viewed and modified with Notepad by opening ":Zone.Identifier".
When a user tries to execute a file downloaded from the internet and therefore has been given ZoneID=3 at a later point, he is prompted with a warning. The ADS is persistent even if the file is moved, as long as it stays on NTFS drives. Windows built-in ZIP utilities honor ZoneIDs and for example do not extract executable files from archives with a ZoneID greater than or equal to 3. 1. The cmd Issue
Description
The command shell cmd.exe ignores the ZoneID of files. The command
cmd /c evil.exe
executes the file evil.exe without warning, regardless of its ZoneID. Even worse: If an executable file is saved as evil.gif, the command
cmd /c evil.gif
will launch the programm without any warning despite its ZoneID being 3. This is true for any file extension. The execution of files through cmd regardless of its extension is not new in SP2. It works with every version of Windows XP.
Note: By default users are not allowed to save "dangerous" files (i.e. files with extensions like .exe) in Outlook Express. But they can save executables with other file extensions such as .gif. Explorer and Outlook Express display them as image. Opening (i.e. double clicking) those files in Explorer results in the launch of the registered file handler, in this case the image viewer.
Attack vector
Exploitation of this issue reqeuires some user interaction -- at least as long as nobody comes up with a way to execute cmd.exe with parameters from within Outlook Express or Internet Explorer. But viruses doing "social engeneering" are a common place by now. Bagle & Co asked users to enter a password to decode encrypted attachments. Therefore a virus author could create an e-mail worm like this:
Attached: access.gif
Hello,
attached you find the copy of your access data you requested. For security reasons, the file is scrambled and can only be viewed with cmd. To view it, save the attached file, execute "cmd" from the start menu, drag&drop the file into the new window and hit return. cmd will descramble the file for you.
If the user follows these instructions, the attached file is executed without any warning.
This might even deceive some of the more experienced users, because they do not expect files with extensions like "gif" to carry executable content and to be executed in such a simple manner.
Additionally this method will evade some antivirus software, which only scans/blocks files with extensions which it knows to be potentially dangerous.
2. Windows Explorer caching of ZoneIDs
Description
Windows Explorer caches the result of ZoneID lookups. If a file is overwritten, Explorer does not properly update this cached information to reflect the new ZoneID. This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.
The following steps illustrate the problem.
1. Copy notepad to a new file.
> copy c:\windows\notepad.exe test.exe
You may also use Explorer to copy the file.
2. Open test.exe in Explorer: no warning.
3. evil.exe is a file saved from an e-mail attachment and has ZoneID=3. Check with your editor by opening "evil.exe:Zone.Identifier". It displays: ZoneID=3 Open evil.exe in Explorer: you will be warned.
4. Overwrite the copy of notepad.exe:
> copy evil.exe test.exe
test.exe:Zone.Identifier displays: ZoneID=3
5. Open test.exe in Explorer: no warning!
test.exe is launched without warning despite of its ZoneID=3. In the file properties, Explorer shows the correct notice about its origin, but for opening the file the old ZoneID-status is used.
6. Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.
Attack vector
Exploiting this issue requires the ability to overwrite existing files which have a trusted or non-existant ZoneID. Right now there is no known way to achieve this in an attack mounted from the Internet. Vendor status
heise Security has notified Microsoft about both issues on August 12. Microsoft Security Response Center responded:
"We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."
You find some personal thoughts about this response in the latest comment on heise Security: Microsoft: A matter of trust
For your entertainment and enlightenment.
PS, Adam_az - saw your W04 rally pics - very nice.
I would be correct in guessing this came from a beta version, as the software update hasn't come out yet?
I am running the final version SP2 now.
Availability of the retail version is what is not out yet. Supposed to be today.
I own a Mac. I use a stable System 10.2.8, and use Safari, for internet surfing. My condolences to you guys in the DOS/WinTel world... ROFLMAO...
Didn't Microsoft pull back SP2 due to all the problems? I heard that there are many software packages that do not work or play well with SP2 in its present form.
See this thread:
http://www.freerepublic.com/focus/f-news/1193879/posts
I own or manage them all - my prefered home box is this nifty imac g4, but they are all good in their place.
It is my understanding that MS has pulled the xp pro patch to allow more testing - going to be out 08/25/04. It is likely that this company is testing on the real thing because some versions of it are and have been available.
I enjoyed the graphic interface on my Commodre64, using a joy-stick driven GEOS program, but damn, it was ssssslllllloooooowwwwwww....
These days, I use an older G4 desktop, and a G4 Powerbook. My wife and 15 yr old daughter use G3 Wallstreet Edition PowerBooks, and we have an Airport Extreme base station to support us wirelessly around the homestead.
It works. All of the time. It doesn't crash. It works, all of the time... and I don't have to do a damn thing, but watch my typing!
It works. All of the time. It doesn't crash. It works, all of the time... and I don't have to do a damn thing, but watch my typing!
That took longer than I expected.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.