Attacking Vista: From Proof of Concept to Actual Exploit

During the final week of December a vulnerability was discovered in Windows platforms that affects the Client Server Run-Time Subsystem (CSRSS) service. The theory behind the discovery was that it might allow someone to execute arbitrary code on affected systems, which include Windows 2000, Windows XP, Windows Server 2003, and Microsoft's newest OS, Windows Vista.

While the initial vulnerability was discovered and posted to a Russian-based forum, that report didn't provide any source code. However, Ruben Santamarta did follow up on the report to provide working proof-of-concept source code but that source code didn't actually launch abitrary code on the system.

Then, on the final day of 2006, just in time to ring in the new year with a bang, an anonymous person posted a working exploit to the Full Disclosure mailing list. Based on the source code provided, the exploit allegedly takes advantage of the vulnerability to launch Notepad where it then creates a file called "OWNED.TXT" in the root directory of the C: drive. If the exploit really works then it's only a matter of time before someone tweaks it and more insideous forms of the exploit begin circulating in the wilds of the Internet.

In a message posted to Microsoft's Security Response Center Blog, the company acknowledged the initial discovery of the vulnerability and wrote that "Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system." This of course points out that while remote attacks might not be possible, the threat from insiders (current employees, service providers, or contractors) is considerable since they typically can authenticate to a system.

In September 2006, CSO Magazine released the results of its third-annual E-Crime Watch report. The survey was conducted in cooperation with the U.S. Secret Service, Computer Emergency Response Team (CERT), and Microsoft, and polled 434 security executives and law enforcement personnel.

According to the survey results, threats from insiders are on the rise. The results show that 58 percent of events were committed by outsiders, 27% by were committed by insiders, and 15% of attack origins were undetermined. The majority of respondants who experienced attacks (55%) reported at least one attack that occurred due to insiders. The figure is up from 39% in 2005. Nine percent of those reporting insider attacks also report that 100% of the attacks they experienced came from an insider.

"Just having policies in place is not good enough. Organizations need to focus on implementation and enforcement of their policies," says Dawn Cappelli, Senior Member of the Technical Staff at CERT. "Nearly all respondents report having account and password management policies yet over half of the insiders compromised accounts, a third used backdoors and others used password crackers or sniffers."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.