Wednesday, November 19, 2008

Most. Embarassing. Vulnerability. Ever.

Vista users, prepare to crash your systems. No, really - this is (mostly) harmless, and it's an instantaneous demonstration of the single most embarassing computer vulnerability I've ever seen.

First, the vulnerability:
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
The kernel is the core of the Operating System - the guts of Windows, in this case. Corrupting kernel memory is never a good thing. At best, you'll make something important crash. The Bad Guys look for this sort of thing, because when you make something crash, sometimes you can get your own code to run instead.

Now Buffer Overflows have been known for literally decades, so this isn't anything new. Usually, you seen some righteous uber-l33t skillz to do it.

So, Vista users - ready to show your uber-l33t crazy h4x0R skillz? Make sure you've saved all your work ....

Step 1. Open a command shell. You'll have the familiar "C:>" prompt.

Step 2. Type the following command:
route add 1.2.3.4/240 4.3.2.1
At this point, your monitor will turn a restful shade of blue, as your kernel barfs its guts out.
I hope you remembered to save your work.

Now this is all very jolly, but you might be wondering why is this the most embarassing vulnerability ever?

Microsoft has been trying really, really hard on security for a long time. They have scary smart security people working there. One of them wrote the book on secure coding, and if you were a microsoft developer, billg made you read it. All of these efforts have paid off, and while Microsoft security for sure isn't perfect, it's a whole different game than it was ten years ago. In other words, it wasn't a joke any more.

And then someone made a boneheaded, "oops I forgot to check user input for validity" mistake that everyone knew was boneheaded twenty years ago. And your mom has the uber-l33t crazy skillz to exploit it.

And remember, Windows Vista is the Most Secure Windows Ever.

Now this doesn't really mean anything in the grand scheme of things. You have to be logged in as Administrator for this to work, so you're not going to escalate your privileges any higher. If you can get a remote administrator command shell, then you're starting from Game Over, so there's no straight forward remote exploit.

But Jeez Louise, guys. This is simply [redacted] stupid. If I were the head of Vista marketing, I'd have (ahem) words with development. It'll make people turn to Solaris ...

UPDATE 5 DECEMBER 2008 12:55: Welcome /b/ Random readers. Lots of security and snark (and security snark) around here. Take a look around.

No comments: