Windows 7 Networks Vulnerable to RA DoS Attack

This has to be seen to be believed. In this video, Sam Bowne, of the City College San Fransisco, shows how rogue IPv6 Router Advertisements can crash all Windows IPv6 enabled systems on your network.

Sam (and others) notified Microsoft of the problem, only to be told that it was a known issue and Microsoft has no plans on patching it! It can be found on the DHS US-CERT Vulnerability Database as CVE-2010-4669.

Sam has an excellent Executive Summary on his site explaining the problem, and several remedies including:

  • Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you.
  • Turn off Router Discovery — this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It’s probably appropriate for servers, but not as good for client machines.
  • Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated.
  • Get a switch with RA Guard — details here: http://goo.gl/PlVlt

Check out Sam’s site for more information.

Sophos creates free Tool to Defend against Windows Shortcut Exploit

Scrambling to protect your systems from the latest Windows Zero day shortcut exploit? What if your anti-virus doesn’t protect against it, what do you do? The anti-virus company Sophos has created an app to defend against the USB shortcut exploit.

The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows.

The nice thing is that if your current anti-virus company doesn’t protect against the exploit, the Sophos Windows Shortcut Exploit Protection Tool can run in tandem to make sure your system is protected.

And the Sophos Windows Shortcut Exploit Protection Tool (maybe we should have come up with a shorter name?) is a piece of cake to install. The tool can be installed and uninstalled easily and quickly. Administrators can run the installer package on the computer, and network administrators can push the installer package via Group Policies.

Check out the Sophos blog for more information.

Windows Backdoor: System Level Access via Hot Keys

 

You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:

 

Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.

10 Year old Vulnerability Found in Windows Software

Server software company 2X Software has found a vulnerability in windows that has existed since windows 2000. This makes the affected systems vulnerable to a simple Denial of Service Attack, which could cause the system to reboot. 2X software has notified Microsoft and they are looking into it.

 “This is a major problem for potentially tens of millions of devices. Such a vulnerability leaves users open to DoS attacks which can be devastating. Imagine your company servers and PCs being restarted remotely every few minutes,” said Paul Gafa, chief technology officer at 2X Software.

See the article on v3.co.uk for more information.