Leak Tests

They're still runnning that shit?

My leak tests:

- CreateProcessAsLogonW with SYSTEM account and kill the PFW.

- Try to delete all files,kill the process and uninstall the drivers, reboot, try again. Usually 3 cycles are enough.

None passed at all.

Hm... don't think so. And I would be pleased not to become infamous ;-)

Yes. This guy asked me, wether he may add my PoC code to his site. Of course I agreed. Is this a frequently used site? Because I never heard of it before.

Yours, VB.

For this, you'll need Administrator's rights.

;-)

Never tried this one - aren't the "Personal Firewall" setup programs setting file ACLs in a sensible way?

Yours, VB.

These tests are usually run with Admin rights.

See above.

Anyway, the most common error with privilege escalation I've seen was the SE_CHANGE_CONFIG thing.

It seems to be a site that some people look at. I have never paid much attention to the so-called 'leak tests' myself, but many people seem to on another message board I frequent.

This would be unbelievable dumb. Are you sure? *wondering*

-v plz

Yours, VB.

Of course this is dumb, but it's the usual setup of the target audience' computers. You may also wonder why these PFWs are trying to make their processes non-killable to even Admin users...

ff.

It's pretty simple: Giving a user the SE_CHANCE_CONFIG permission for a service is supposed to allow him start/stop the service and change the start-up behaviour (automatic, manual, on-demand, system, boot). However, it allows allows him to change the assigned binary...

I recently reported the popular copy protection scheme SafeDisc also being vulnerable to this flaw, with expect of the default installation shipped with Windows XP without being updated later by a custom installer.

Ahem... here I have to guess... because the developers of those "Personal Firewalls" have no clue of how security is implemented with classical operating systems with a separation of kernel space and userland like i.e. Microsoft Windows?

Yes, of course. This is not a security flaw of Windows. This is by design.

Is SE_CHANCE_CONFIG given to a normal user as default configuration?

Yours, VB.

Obviously they have at least a clue about accout separation and permissions, because that's how it's implemented. Of course it's trivial to gain SYSTEM rights with already having Admin rights, but the clueless user only knowing the Task Manager and seeing that it doesn't work will be satisfied.

Maybe it is a too gross permission, but I wouldn't grant any of it's sub-effects to any user for any service anyway.

No. But some installers of third-party programs installing system services and/or drivers do set this permission for the Users or Everyone group. The default configuration of the driver shipped with Windows XP is safe, but whenever the driver is updated or reinstalled (if removed ealier) by a third-party game installer, an unsafe configuration as described above is applied.

So far I have seen the same stupid thing with Novell NetDrive and Adobe License Manager.

For which driver is this true?

OMN!

Yours, VB.

SafeDisc (secdrv.sys)

I suspect StarForce and Co. to be vulnerable too, but I usually don't install malware. Actually I only got SafeDisc installed by surprise under a restricted account due to some strange misconfiguration issue.

For AdobeLM, there do exist some cracks, which are pretty small in size (5 KB + ~ 1 KB of changes) and therefore easily verified to be non-malicious, that allow PhotoShop and Audition to be run without that service running or trying to be reinstalled (miserably failing with restricted rights). What a hassle!

And Novell NetDrive... well, it also demands SE_INTERACTIVE and doesn't run without any of these permissions. Unusable.