This message was sent to Microsoft (secure@microsoft.com)
L.S.,
I will try to describe a problem I found in the dutch Windows Vista Business with SP1 on a HP Compaq 6820s.
If powerbutton is configured to shut down the system when pressed, AND screensaver is active (one of de default screensavers), AND screensaver is password protected, AND a document is open and changed then the following will occur:
After pressing the powerbutton, the user comes in Windows, the application (can be Word) asks to save the document. If a user answers “Cancel” shutdownsequence is aborted and the user has full acces to the system as if he typed in a password after coming out of the screensaver.
I will try to describe a problem I found in the dutch Windows Vista Business with SP1 on a HP Compaq 6820s.
If powerbutton is configured to shut down the system when pressed, AND screensaver is active (one of de default screensavers), AND screensaver is password protected, AND a document is open and changed then the following will occur:
After pressing the powerbutton, the user comes in Windows, the application (can be Word) asks to save the document. If a user answers “Cancel” shutdownsequence is aborted and the user has full acces to the system as if he typed in a password after coming out of the screensaver.
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
Security leak (local break in) - Product and version that contains the bug
Found and tested on Windows Vista Business (Dutch) with SP1 - Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
Screensaver
Powerbutton
- Step-by-step instructions to reproduce the issue on a fresh install
- Set screensaver and poweroptions as above (unfortunate in dutch)
-Open a document (Notepad, Word, UltraEdit, Excel). In fact it does not mather which application is used, as long the application sees if a document or file is changed and need to be saved.
- Wait until screensaver is active
- Press the powerbutton
- When the dialog appears with the question to save the document, press cancel and you have access in Vista.
- OR press Ctrl-Alt-Del and do whatever you want! - Proof-of-concept or exploit code
n/a - Impact of the issue, including how an attacker could exploit the issue.
The impact is huge! As an IT professional with lots of userrights etc. it is most important to lock the computer when walking away from the workplace. In this way any user can gain access to resources and systems they are not authorized to!
7 opmerkingen:
Response from Microsoft:
Thank you for your message. In reviewing the information you have provided this does not meet the bar to be tracked as a security vulnerability by the MSRC. To trigger this a person requires unrestricted physical access to the system which is covered in Law #3 of the 10 Immutable Laws of Security available at http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx .
Best Regards,
Nate
My answer to MS:
IMHO you are missing a point here: I lock my computer to get a cup of coffee. In the mean time a guy (or girl) who wants access to the highest level of security of a network, the only thing he has to do is pressing the power button!!!
He does NOT have to do one of the following:
• not -> He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
• not -> He could unplug the computer, haul it out of your building, and hold it for ransom.
• not -> He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).
• not -> He could remove the hard drive from your computer, install it into his computer, and read it.
• not -> He could make a duplicate of your hard drive and take it back his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.
• not -> He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.
Just a simple push on the powerbutton!! Nothing more, nothing less!!
Extra info: when screensaver is active, press powerbutton and almost immediate press Ctrl-Alt-Delete. In that case one can change password, start any process etc!!
I Think this is a serious bug!
Again, overlooked the "definition of a security vulnerability" which can be found at https://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx?mfr=true. I am still convinced the problem I reported is a big security vulnerability. Please convince me I am wrong!
Received a response:
Thank you for your reply. I have spent some additional time on this issue and with members of my team and we would like to pass this on as a stability bug directly to the product team on your behalf. The screensaver password is not considered a security boundary like the locking feature is, the scenario that you have presented is a non-default scenario (Changing Power Options), and this does require physical access. We do think that the product team should take a look at this for inclusion in an update as a stability bug though.
Certain actions of the screensaver regarding password protection are documented at http://support.microsoft.com/kb/328000 . Also we do recommend using the locking feature in Windows XP when leaving the system rather than the password protected screensaver.
Unfortunate the problem I discovered was with Vista!!
Response from me to MS:
(prop. Rcpt to Nate?)
Hi,
First,
Let me remind you that the problem was with Vista instead of XP!!
Second,
The same problem can be achieved by Locking the computer (Ctrl-Alt-Del and then Lock). Then, again, wait for the screensaver and repeat the procedure to gain access.
This bug is quite serious. Network Administators have to 1) Shut down their computers or 2) take the computers with them when they go to the toilet!
Again message received from Microsoft:
Hello Hans,
As Nate has stated to you earlier given our un we do do not regard this as a vulnerability. To reinterate why the Microsoft Security Response Center does not regard as one:
1. Physical Access is required to accomplish what you have outlined either by pressing the Power Button, CTRL-ALT-DEL combo as your have outlined. As need has mentioned earlier, our stance on this is clearly articulated in the 10 Immutable Laws. Please review immutable law #3 at http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true as to why this is not considered a security vulnerability.
2. The Screen Saver Password is not considered a security boundry.
When you combine #1 and #2 you result in an issue that is not considered a security vulnerability by the MSRC.
Additionally one follow-up question regarding your system configuration, can you confirm what is the state is within the Screen Saver Settings menu for the "On resume, display logon screen" option?
Adrian Stone
Sr. Lead Security Program Manager
Microsoft Security Response Center
Message to Microsoft:
Hello Adrian,
In my opinion, you are fixated on the physical approach. (Pardon my English)
The conditions met to report this (shall I call it bug) "vulnerability" are common:
- Default windows screensaver (i.e. Windows-logo)
- Default activation time of 10 minutes
- "On resume, display logon screen" checked (active)
- On the powerschema the "Powerbutton" is set to shutdown.
- An unsaved edit in notepad
I yet discovered that pressing Ctrl-Alt-Del combo and locking the computer, really locks the computer and does not react on the power button. So in that case there is no problem.
Indeed, one should not walk away from his computer without pressing Ctrl-Alt-Del combo and locking it!
But here is an all-day scenario in the Netherlands:
A lot of companies are small (1 - 50 users). In fact 80% of all companies in the Netherlands are in this category (the definition of SMB / SME in US is different than the definition in the Benelux). Often these companies do not have an dedicated IT department. Mostly the financial manager is the one who has unlimited access to the network. Monthly revenues are too small to employ a full system engineer. Again, this is very common in the Netherlands! This financial manager has limited knowledge of security, hence his primary task is controlling finance. To make the company's network as secure as possible, external IT companies often set some security settings. One of them is passwordprotecting the screensaver. Also the Financial manager's computer is protected in this way. And indeed, he should press Ctrl-Alt-Delete and lock his computer every time he walks away. But that is not the real life situation.
Unfortunate, the last resort of securing the customers network is not secure!
Now to the physical aspect: If physical access is needed, then why can't this be a "Security Vulnerability"? I overlooked the 10 Immutable Laws but I still am not convinced this issue is NOT an Security Vulnerability.
Please, I still found this to be a big issue. At least this is a "security BUG". Can you please report this to the responsible/correct development department if you insist on claiming this not to be a "Security Vulnerability"?
Please let me know.
Een reactie posten