And it's "official" now :-)
http://www.securityfocus.com/archive/1/393419/2005-03-14/2005-03-20/0
Dirk.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Mark Bradshaw
Sent: Wednesday, March 16, 2005 7:06 PM
To: salive@woodstone.nu
Subject: RE: [SA-list] Security Advisory about Servers Alive
Nice. Congratulations on your advisory!
Mark Bradshaw
Director of Online Services
DREAM3
http://www.dream3.org/
(866) 7DREAM3
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dirk Bulinckx
Sent: Wednesday, March 16, 2005 11:22 AM
To: salive@woodstone.nu
Subject: RE: [SA-list] Security Advisory about Servers Alive
I'm not realy worried about it :-)
Somebody told me that a while ago a competitor (of the product that that
person wrote) got a security advisory and suddenly his ranking in google
just went up. Since more pages linked to his site :-)
Dirk.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Mark Bradshaw
Sent: Wednesday, March 16, 2005 1:00 PM
To: salive@woodstone.nu
Subject: RE: [SA-list] Security Advisory about Servers Alive
I've been there too, Dirk. Don't let it bug you (if it is). I very much
appreciate the security community and the work it does to secure our work,
but there are some that seem a bit overeager to find and announce "bugs".
Goes with the territory I suppose.
Mark Bradshaw
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dirk Bulinckx
Sent: Wednesday, March 16, 2005 1:02 AM
To: salive@woodstone.nu
Subject: RE: [SA-list] Security Advisory about Servers Alive
That's one of those things I told them in our mail conversation but they do
think they have a case...so if they can't resist the glory of making that
advisory, well so be it :-)
Dirk.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Kevin Stone
Sent: Wednesday, March 16, 2005 5:06 AM
To: salive@woodstone.nu
Subject: RE: [SA-list] Security Advisory about Servers Alive
Given your explanation and having seen similar issues in other programs this
doesn't seem to be an issue specific to SA but more of a limitation in VB.
I think given the scope of functions in Servers Alive and that many of them
would require Admin privileges anyway this would not seem to be a security
issue but more of an administrative policy issue.
Also, the fact that SA potentially has admin level access to many
systems(not just localhost) in an organization should be reason enough to
treat it as a sensitive system.
-Kevin
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dirk Bulinckx
Sent: Tuesday, March 15, 2005 6:24 PM
To: salive@woodstone.nu
Subject: [SA-list] Security Advisory about Servers Alive
A couple of week ago we were informed about a security issue in Servers
Alive. We see this issue as not realy a Servers Alive issue but I'll you
decide on it :-)
Synopsis
========
A privilege-escalation vulnerability exists, allowing a local non-privileged
user to obtain SYSTEM.
Discussion
==========
Servers Alive can be run in two modes; as an application or as a service.
When run as a service, the application is permitted to interact with the
desktop and runs under the context of SYSTEM. When loading the 'Local
manual' under help, the application does not drop privileges.
Consequently, it is possible to assume SYSTEM privileges by:
Viewing the source of the help file, which opens in Notepad.
In Notepad, selecting File, Open.
Launching a system utility such as cmd.exe.
Impact
======
Full local compromise of the host on which Servers Alive is installed.
Based on this info we did some 'research'.
Our conclusions:
The F1 key is calling the HELP, as developper we CAN NOT control what
exactly is called (except for what help file). VB (Servers Alive is written
in VB) does the calls to the help system of the operating system and does
this within the context of the user running the app/service. This means
that IF a service/app is running with full admin rights, that the help file
is called with those same rights and that IF it's possible to call an
external app from the help system that this app will also be running with
those same rights. Well the help system allows you to run an external app.
Issue in Servers Alive or issue within the help system??
We could remove the help from the app/service. But then again we would have
to remove all alerts/checks in Servers Alive too since they could also be
running a CMD.EXE (example shown above).
Our only advice is that (as with any system) only authorized personel should
be allowed to access the Servers Alive system.
This :
"
Running Servers Alive as a Service
When running Servers Alive as a service using the Microsoft Management
Console, you can select the Local System Account option on the Properties
dialog box and click the Allow Service to Interact with Desktop setting. To
run Servers Alive under the system account with desktop interaction, you
should carefully consider an important security issue: Any process started
from within Servers Alive has the same access rights as the system
administrator.
You must protect the system running Servers Alive by ensuring that only
users with a correct security clearance are allowed to log on to the local
system.
For example, an administrator installs Servers Alive on a workstation and
configures the software to run as a service, using the system account with
desktop interaction. A non-administrative user can log on to the workstation
and see Servers Alive as an icon in the system tray. The user can open the
Servers Alive Help file and click the View Source command in the Windows
Help viewer. Subsequently, in the Open dialog box, the user can open and run
CMD.exe. The non-administrative user can now run the command line with all
the access rights as the system administrator.
"
Will be added to the help/doc of the next (minor) release of Servers Alive.
Dirk.
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With
the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With
the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With
the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With
the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With
the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED]
With the following in the body of the message:
unsubscribe SAlive
To unsubscribe from a list, send a mail message to [EMAIL PROTECTED]
With the following in the body of the message:
unsubscribe SAlive
