I know what it means to attach a service to the desktop and it will still mean that the interfaces to the service have to be know to execute the code in the service application.
They are behind a corporate LAN protected by a FW on a dedicated service machine that's sending and receiving data over HTTP using a SOAP XML Document with the external Web server.
It's covered.
Duane :)
When no security is needed. ProtectedStorage is merely responsible for storing and return cryptographic keys from/to a user, taking care that no other user can get them and that they're not accidentially stored in an unsecure localation (f.e. memory paged on the disk). The user and all the programs in his context are considered as trusted, and concepts of separation would be pretty useless.
Same holds for services which are actively manipulating the desktop, f.e. Superior SU.
At first, the interfaces are known. Basically, the entire executable of the service is known.
For the second, there is no need to do so. A shatter attack writes code as data to the graphic context, and then passes IPC messages with a callback to that code. Without caring what the service normally does.
The first step isn't really required. Keyword: Return-to-libc
Then we're talking not about the same thing. I'm talking about services with higher privileges.
Yours, VB.
No. You just don't understand. Shatter attacks, for example, consist of inserting data into a window (for example by just sending WM_SETTEXT to a window) and afterwards running this data as code in the process which owns the window.
There is no need for a special design of the interfaces to a service or something like that.
And the example with the three "Personal Firewalls" even is much more trivial to use.
"SOAP" and "covered" or even "secure" in one sentence. Very courageous, Duane, I must say ;-)
Yours, VB.
It runs as LocalSystem in the Lsass context.
It attaches to the desktop, but doesn't open windows. It doesn't recerive Windows Messages, but it receives change notification on the desktop and, of course, some custom calls. So it does some other unsecured IPC, but it's still no problem due to careful checking (checking the identity of the callee).
Huh? There's only one question: SOAP over SSL or unsecured SOAP with XML Encryption Layer?
Why are you arguing then? Just bored?
Look at the weather: let's goi swimming ;-)
Yours, VB.
Do you know what an encrypted SOAP message means? It's not my problem anyway. I did what the customer wanted, which was based on the specs from PeopleSoft to access their Web server and their databases.
Duane :)
Usually this is not the key point - it's enough to write code to a window. And this is much easier done.
Yours, VB.
Yes, this is what I'm saying. SOAP is unsecure, you have to encrypt the communication channel. And better forget "security enhancements" of SOAP.
Yours, VB.
One other thing, that service would need to be stopped, settings changed to attach it as windows desktop and started again. The malware has got to get there and execute in order for that to happen.
Duane :)
Yes. If not clever encrypted (and if the commication channel is not encrypted) usually "easy to attack".
I found it somewhat unfair to the crackers, that so many people filter now any communication. So SOAP, transporting XML documents for RPCs and messaging via SMTP and HTTP, is something which makes the world much more easier for the poor cracker again. SOAP means implementing IPC by circumventing all such annoying firewalls at last ;-)
"F*ck off, it's _their_ fault!" ;-)
Yours, VB.
If the Web service on the Web server being contacted is a SOAP service, then you send SOAP. You don't send anything else. It's Peoplesoft's and the client's problem. It's not my problem I gave them what they wanted.
I don't know if you have ever been a contractor, but the one thing you don't do is give the client what they didn't ask for.
I do hope that you understand that.
Duane :)
You were twisting desktop attachment and opening windows.
No way. It's too hell outside. :-)
A window is part of the graphic context...
My take on the device, based on the user manual, is that it's just a NAT box with some nice fluff.
Sebastian Gottschalk wrote: [Microsoft Windows]
No.
Yours, VB.
I understand. Thank you for your understanding for any contained sarcasm.
Yours, VB.
Then you know a different Windows version than I do.
A window is a graphical element, drawn on a device context which is usually a Desktop context on a certain WindowStation context. Windows Messages can be broadcasted in an entire Desktop context, not necessarily addressing one specific Window element. They can even transit contexts with approciately aquired handles, f.e. telling the Welcome Page on the WinLogon Desktop Context that a user has unread mail, or aquiring a printer draw context to print graphics.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.