HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS
HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS
Per a discussion I had w/ Russ Cooper from NtBugTraq here on our forums in this NEWS section:
A "working-work around" I discovered earlier in 2005-2006 & posted here on these forums (now a STICKY thread in the GENERAL SOFTWARE SECTION of the forums) & prior to that on SETI@Home & Folding@Home forums, that should help in the meantime, is listed below...
http://forums.techpowerup.com/showthread.php?p=232495#post232495
=============================================
PERTINENT MATERIAL EXCERPT:
=============================================
2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.
A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.
SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:
http://forums.techpowerup.com/showthread.php?t=16097
& later here, when the folks here "wikipediafied it":
SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:
reference.techpowerup.com/Securing_Windows_Services
The technique noted by myself counters for services buffer overflow escalation of privelege attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).
Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.
Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...
----------------------------------------------------------
SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS LOCAL SERVICE (& they will still work fully & fine):
Symantec AntiVirus
Symantec AntiVirus Definitions Watcher Service
SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS NETWORK SERVICE (& they will still work fully & fine):
SAV Roam
Symantec LiveUpdate
=============================================
* Microsoft now also has a subset of this material (covering only their default OS services though, ONLY (my list has FAR MORE that apply & can do this) on their technet/knowledgebase websites, which appeared 6 months or more after I wrote mine up!
(So, that said? Well, you KNOW this works well enough, as a substantiation of it, because MS has it also, albeit far after the article I authored here & elsewhere on it, & far less services this security technique applies to!)
APK
P.S.=> This technique also works in the patched model, 10.2 (& above), of the Norton/Symantec Corporate Edition AntiVirus client program, some "FYI" & a good general measure of protection against exploitable services (not just NORTON/SYMANTEC ONES, mind you)!
The URL above detailing HOW this defense mechanism is done (easy, via services.msc) also notes many other services this can apply to, to protect you vs. this type of attack... apk
:shadedshu )