Development 5.0

Please use an ad-blocker. Surf safe.

  • Technology
    • Architecture
    • Development
    • Tools of the trade
  • Reviews
    • Books
    • Movies
    • Notetaking
    • Technology
    • Tools of the trade
  • Improve your product
  • Rants
  • Philosophy/Other
  • Photography
  • Politics
  • Fiction
  • News
  • About

Not actually crossing the airtight hatchway: Applying per-user overrides

Posted on August 1, 2019 Written by The Curator

We receive a number of security vulnerability reports of the form “If I write the following value into the registry at HKEY_CURRENT_USER\..., then the next time the user does X, I can do bad thing Y.”

The most common version of this is where the registry key is HKEY_CURRENT_USER\Software\Classes\CLSID\..., because that permits you to override a system COM object with a custom COM object.

The fallacy here is hiding behind the change of pronoun in the attack description: If I write the following value into the registry, then the next time the user does X, I can do bad thing Y.

In reality, I and the user are the same person!

In order to write to the user’s registry, you need to be that user or an administrator. Of course, if you are an administrator, then you’re already on the other side of the airtight hatchway, and this entire exercise is pointless.

That leaves the case where the attacker is the user. In other words, the attacker is attacking himself. This is not particularly interesting. It is not a security vulnerability that users can make their own lives miserable. They could start by, say, deleting all their files, then move on to sending profanity-laden email messages to their boss.

As I noted, COM class registrations are a commonly-reported vector for this attack, sometimes even touted as a way to obtain elevation. But that doesn’t work because COM is careful not to use registrations from HKEY_CURRENT_USER when running elevated. Only HKEY_LOCAL_MACHINE registrations are consulted when elevated, and attacking those registry key require that you already be elevated, so you haven’t gained anything.

Another place people report this type of false vulnerability is when they see that the HKEY_CURRENT_USER registry keys are affecting the behavior of svchost.exe processes. But you need to look more closely at which svchost.exe processes are affected. Windows supports services that run under the context of the logged-on user, rather than as a privileged account. These reports breathlessly report that they found a way to inject code into svchost.exe via HKEY_CURRENT_USER attacks, but they failed to observe that the svchost.exe they attacked is running as the logged-on user. Again, all they did was attack their own process; there is no elevation of privilege.

 

The post Not actually crossing the airtight hatchway: Applying per-user overrides appeared first on The Old New Thing.

Filed Under: Original Tagged With: Other, Uncategorized

Please use an ad blocker

You can find instructions here

Amazonautocamera hackForescouthackinghowdoirateinternet of thingsIoTIP surveillance camerasKindleOtherreadingSecurity threatssurveillanceUncategorizedVulnerability

Recent Posts

  • Hosting a WordPress Website on Google App Engine
  • C# 9: Record Types Introduction & Deep-Dive
  • C# 9.0 on the record
  • lunet-io/scriban
  • 5 advanced Git tips to boost your productivity

Recent Comments

    Archives

    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018

    Categories

    • About
    • Audiobook
    • Books
    • Movies
    • News
    • Original
    • Rants
    • Reviews
    • Self
    • Software

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Copyright © 2021 · Focus Pro on Genesis Framework · WordPress · Log in