An exploit requiring admin privilege is NOT an exploit

I’m going to pick on a post that I saw on the forum recently, “Root kits for .NET framework been found” [sic]. Now, I believe this person was just doing due diligence and reporting something they thought might honestly be important. So, “sharpy” (if that is your real name!), this is not meant as a dig on you. The post points to another forum discussion at dslreports.com, which then has some other links I’ll let you explore yourself.

In short, the author of some paper or exploit is claiming they have hacked the .NET Framework such that they can bypass strong-name validation, or replace code in mscorlib.dll, etc. I’ll publish the first line of the first reply to the post on dslreports:

“The ‘exploit’ starts with the modification of a framework dll (assembly) from outside the runtime using administrative privileges.”

Spot the refutal? I put it in bold 🙂 It’s like Raymond Chen has blogged about on at least one occasion:

“Surprisingly, it is not a security vulnerability that administrators can add other users to the Administrators group.”

Here’s a pop quiz. If you have administrator access to someone else’s machine, which of the following would you do?

  1. Format the hard drive.
  2. Steal data, then format the hard drive.
  3. Display a dialog box saying, “Gotcha!”, and then format the hard drive.
  4. Decompile mscorlib.dll, inject extra code into the IL for the Assembly.Load() method, recompile the new IL into a new mscorlib.dll, replace the existing mscorlb.dll with your hacked version, edit the system configuration to bypass verification, remove the optimized “NGEN” version of mscorlib.dll, delete the pertinent log entries to cover your tracks, and then wait an undetermined amount of time to see that someone launching Paint.NET or their NVIDIA Control Panel gets a formatted hard drive instead.

 
“When the looting begins remember to consider the weight/value ratio. Here we have a few examples of high value, low effort.” http://www.safenow.org

I don’t know about you, but I’d probably just go with #1 or #3. I have all the data I need already, thankyouverymuch. No need to take a graduate course in compilers in order to do the job via #4.

Everything being done in #4 is possible for someone with administrator privilege. They’re only doing what they already have access to do. However, if a non-administrator can do this, then it’s an elevation of privilege issue. If it’s trivial to trick or mislead an administrator into doing it, then it could be called an “admin attack”. But all this is a discussion for another time.

So in conclusion, I wouldn’t be worried about this. The moment you see something about an attack or exploit requiring administrator privilege, or in some cases even just physical access, feel free to relax. (After all, if you have physical access to the computer, just hit the reset button and install Linux, right?)

* Disclaimer … Note that this is a slightly cynical post, and it’s by no means comprehensive.

Advertisements

10 thoughts on “An exploit requiring admin privilege is NOT an exploit

  1. gubment_cheez says:

    I loled irl when I read this entry. I guess I have a twisted sense of humor because I’ve received immense joy from a small entry

  2. Ronnie says:

    Hahaha YES, I completely agree, and I really like the cynicism here (:

    I’ve seen enough people being angry about that it’s possible to turn off UAC in Vista and think it’s a security leak, and think Vista is unsecured as hell, telling people they should convert their religion to linux or mac…
    Well one surprise: YOU NEED ADMIN RIGHTS TO TURN OFF UAC

    I really hate dumb people.

  3. Dean says:

    Wow, some of the responses on that dslreports.com site are definitely of the tinfoil-hat variety… I wonder why these people even run Windows at all, if it’s so “inherently insecure”?

  4. Kevin says:

    I found another exploit! Assuming you have administrative privileges, you can install a keyboard hook and send everything a user types to your web server!

    Ooh, I found another one! Instead of a keyboard hook, you can kill explorer.exe!

    Ooh, wait, I found another one! (etc etc)

    Gosh, I’m such a great hax0r.

  5. Snarky-Pants Jr says:

    Okay, mr sNarc author of the post (just kidding, sort of):
    The real problem for me would be that I have Ub’tu and _want to Uninstall it_. Er, at least, get rid of grub. Or, maybe figure out why explorer.exe quit launching at Windows XP boot-time – yeah, that’s it, that’s the ticket to follow.

    — Pay It Backward?

  6. Ken Hoxworth says:

    Really? So if an exploit existed that allowed anyone with admin rights to access all user-protected directories, it isn’t really an exploit?

  7. Jesse says:

    The linked paper is upfront about this. It says:

    “It is important to mention that the technique described in this paper is considered as a post exploitation type attack! Such attacks are usually deployed after an attacker has managed to penetrate a system (using some other attack) and want to leave backdoors and rootkits behind, for further exploitation. In other words, changing the Framework requires administrator level privileges. “

  8. Ken Hoxworth says:

    Sigh… If the intent of an operating system is to allow users to disallow access to certain files and directories to even administrators, it is an exploit to subvert this intent with an administrator account. I’m not trying to say that you don’t have bigger issues to worry about if someone gains administrator access on your system – I am stating that an administrator account does not grant carte blanche authority to everything on a computer system.

  9. Rick Brewster says:

    Ken — You’re changing the nature of the system with your question then. That isn’t a fair challenge. Most operating systems are designed to either allow the admin full access, OR to allow the admin to grant whatever access they want to anyone, which includes granting that to themselves. And/or to take ownership of secured objects, and then grant access. Following from this definition, an admin can literally do whatever they want, it just might take a few extra steps. It’s logically sound.

    To then correct the statement of your challenge, you’re asking if a user with less than admin privilege could use or benefit from an exploit allowing them access to all the user directories.

    You also said “user-protected” directories, but didn’t state what you meant by “protected”. Are they protected by ACL’s? Encryption? Obfuscation? You have to be very precise.

Comments are closed.