Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Windows security 101 Program.exe

  • 26-02-2005 6:53pm
    #1
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭


    Some basic security issues in windows - included because it shows how simple things can cause problems

    http://www.theregister.co.uk/2005/02/23/ms_security_issues/
    Suppose that you want to run the following command:

    C:\Program Files\Internet Explorer\iexplore

    One cool thing about Windows is that although the path contains a space, it still runs the application fine, even if you don't place quotes around the entire command and even if you don't use the executable extension for iexplore.exe.

    But how does Windows know where the program path ends and the program's command line parameters begin? How does it know that the user isn't trying to run a program named "C:\Program.exe" with the parameter "Files\Internet Explorer\iexplore?"

    The problem is that it doesn't know. It just starts at the beginning and tries finding an executable until it finds a match. So in this case, it will try these files every time you run the command:

    C:\Program.exe
    C:\Program Files\Internet.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    You might see where I'm going with this: if you place an executable named program.exe in the root directory, it will probably end up running quite a bit. In fact, it will run anytime Windows launches a Program Files executable that does not have quotes around the path.

    Microsoft certainly is aware of this issue. In fact, it was probably a design decision at some point. If you run Windows XP, try placing an executable named program.exe and reboot your system. When it restarts, Windows will warn you about the complications of having that file there.

    Here's the problem: there are thousands of paths in the registry that do not have quotes around them, and many Windows systems have weak NTFS permissions that allow any user to write to the root directory. This is bad. As an experiment, I created a small program that simply logged every time it ran and under what user context. I rebooted and checked my Event Log. It turned out that on my system it ran eight times, twice under the context of the SYSTEM account and the rest as my own administrative account.
    ...
    We have raised the bar some, but we are nowhere near done. If you have any access to a system, you can likely gain administrative access.

    Sure, Microsoft is eliminating the low-hanging fruit. But what happens when there is no more low-hanging fruit? Crime doesn't stop because it is harder. Criminals get smarter. The question is, will we be ready when that time comes?


Comments

  • Registered Users, Registered Users 2 Posts: 380 ✭✭dogs


    Raymond Chen explains why that design decision was made here.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    Point was that there are lots of little things like that which can be exploited in windows, getting a browser to save a file with a certain name in a folder can mean it takes precedence over an OS file , and just toooo many autoruns. Reinforces the view that windows is designed to make it easy to run/open things by default rather than checking to see if they should be opened.

    Here is one to try on windows 9x
    C:\WIN.BAT
    @Echo %0
    WIN.COM
    

    And one of the first things I do on a windows system is untick the box that hides extensions of known files - it's far too easy to spoof the icon also means you can ask the user what type of file they are trying to open and then explain that powerpoint is not included in thier version of OEM office


Advertisement