Re: Smashing Windows

From: The Blueberry (acr872kat_private)
Date: Thu Apr 11 2002 - 14:16:45 PDT

Next message: Maximiliano Caceres: "Re: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"

Previous message: gobblesat_private: "ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT"
Maybe in reply to: Nicholas R.: "Smashing Windows"
Next in thread: Tim Morgan: "Re: Smashing Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi group,

>While were on the topic, I'm wondering what techniques and/or programs 
>would be
>of use to effectively audit windows operating systems and services 
>specifically
>nt based?

For this you can use api monitors, registry, disk, etc... Some good tools 
can be found at www.sysinternals.com.

But if you search more specifically for something to target in depth one 
program or one function in the OS, look at win32 debuggers like SoftIce or 
alikes.

>
>For example, privelage escelation, buffer overflows, format strings within
>local programs or system services. Other than a few documents on format 
>strings
>and buffer overflows, there isn't much information to help aid in the 
>auditing
>of programs specifically of importance to the windows os.

I'm not aware of any papers on that subject but you can always take a look 
at phrack or at currently existing exploits as this can help you a bit.

>Another main question
>is how exactly are local privelages gained? For example, under unix only
>programs suid/sgid that are vulnerable can sometimes be exploited to gain 
>root.
>Would there be the same thing or something similar to this under an nt
>environment? and if so, what?

It can be the same in NT: a service (IIS, etc...) that runs habitually under 
high privileges can give up his privileges by a buffer overflow or an input 
validation that fools the program into executing custom code supplied by the 
attacker...

>Is there any information that I can be directed to that maybe i'm missing?
>as well as programs and other criteria of importance. Also, is there such 
>things
>as race conditions under windows? Signal explotation? or things under 
>windows
>that can be exploited that can't under *nix or vice versa.

Humm... race condition? Maybe but it's very unlikely for a NT program to use 
the temporary directory to put anything exploitable. Signal exploitation? 
No, AFAIK. Usually in Windows the great thing to exploit is user input; 
buffer overflows and input validation errors.

>Any light or reference to information on this topic, considering it is 
>broad
>scope would be greatly appreceated.

I'm not really aware of any general information about Windows's architecture 
in the field of security. Maybe others in the list will be able to help you 
more than me about this.

--TB

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Next message: Maximiliano Caceres: "Re: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
Previous message: gobblesat_private: "ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT"
Maybe in reply to: Nicholas R.: "Smashing Windows"
Next in thread: Tim Morgan: "Re: Smashing Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 15:02:08 PDT