Security Week 12: dangerous feature in Windows, Chinese hackers broke everything around, HTTPS should be inspected wisely

Sometimes a bad feature is difficult to distinguish from a good bug. In a sense, it is even worse than a bug - it will not be fixed. For six years already, Microsoft has been aware of the opportunity for a local administrator to intercept any user’s session. Wait, it's admin, you can do anything! But let's see what is wrong here.

It all started with the fact that the researcher Alexander Korznikov published on his blog a post about the possibility of intercepting someone else's session found by him. All told and shown in the videos, accessible and clearly. In short, the Windows tscon.exe utility allows you to connect to someone else's session. The possibility of full-time. User password need to know. But if you run tscon from under the user SYSTEM, the password of another user is no longer being requested! You just enter another session like a boss. To accomplish this trick, however, you need an additional admin utility like psexec or similar, in a word, it’s easy to install such a local admin.

The author of the exploit did not begin to notify Microsoft before the publication, since the problem is deep, and the fix would have to wait at least six months, but I could not wait to become famous. However, he unexpectedly found a post from 2011, where researcher Benjamin Delpi describes the same problem. It turns out, Microsoft has been in the know for a long time. By the way, a representative of the company voluntarily confirmed to the journalist Threatpost that "this is not at all a vulnerability, since exploitation requires administrative rights."

How so guys? If I am a local administrator on a computer, this does not mean that I can roam all over the network and look into all its hidden places. In addition, in real networks of serious organizations, it often happens that KTO NADO works under a local administrator. Just because otherwise crookedly plows some critical business software. Well, or the user is a bosom friend of the sysadmin.
')
And if this valuable employee picks up something unpleasant from the mail, the attackers will be able to intercept the session, for example, the domain administrator, and they will not be stopped. It is quite such an apocalyptic scenario of a targeted attack on an organization.

So, Microsoft is partly right: yes, this is not a vulnerability. This is a gaping hole in the Windows security model. And we, by the way, live with it. For dessert - a list of versions in which our hospitable feature lodges:

- Windows 2016
- Windows 2012 R2
- Windows 2008
- Windows 10
- Windows 7.

The Chinese team escaped from the virtual machine
The title turned out to be ambiguous - no one, of course, did not lock the Chinese in the virtual space, this technique has not yet reached , which is a pity . The guys from Qihoo's 360 Security team just grabbed $ 105,000 from the Pwn2Own hacker competition, which was held at the CanSecWest conference in Vancouver. They were able to develop a method for moving beyond the borders of the VMware virtual workstation, for which they had three competitive days.

Exploit the crafty Asians bungled on the basis of a chain of three bugs: overflow of the dynamic area (heap overflow) in Microsoft Edge, incorrect type checking (type confusion) in the Windows kernel and non-initialization buffer in VMware. By the way, last year this nomination was left without a winner, which is why the prize grew from $ 75 thousand to $ 100 thousand.

Having sped up, the Chinese could no longer stop - they casually cracked Adobe Reader with Adobe Flash and trampled on MacOS, having developed a method of privilege escalation. As a result, the guys received the first prize of Master of Pwn. Think about it, if you suddenly want to joke on the topic of qualifying Chinese hackers.

HTTPS control may make the channel insecure.
Captain Obvious again came to the aid of the unsteady. US-CERT issued a paper in which it responsibly stated that the use of HTTPS traffic research tools reduces the security of the channel. E-he-he, but why are they to us, if not for this?

The message of US-CERT is in fact that if there is such a tool on the network, the user cannot control the validity of the server certificate and the strength of channel encryption. The piece of iron inspecting HTTPS traffic is placed in the “man in the middle” position. The user can check the certificates of this spy machine itself, and the machine itself - server certificates. Theoretically, the scheme works.

In practice, HTTPS control may be outdated and poorly configured, and the user, for his part, will not be able to know that his traffic is, for example, over the vulnerable SSL3 protocol, or that the server certificate was issued by someone who does not understand it. This creates an opportunity for the hacker to become that “man in the middle” and intercept the entire allegedly protected traffic.

The authors of the study , which served as the basis for the US-CERT alert, revealed a reduced level of security in 62% of the monitored TLS channels. Let's send a little ray of sanity to all those who have rolled away a lot of US dollars for a branded piece of iron and consider themselves invulnerable.

Antiquities

"Perfume"

A resident very dangerous virus, standardly infects .COM files (COMMAND.COM is affected when the virus starts). Creates its own TSR-copy, changing nothing in the MCB blocks, which can cause the system to hang. Periodically erases random sectors on the A: drive. At the 80th attempt to infect an already infected file, it starts some kind of dialogue with the operator (in my sample virus, the text is erased). Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 78.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.