I agree that we could just remove the link to the help and the URL links (since from IE you can also start app)....but then again the same applies to alerts (which he didn't mention). I could have remove the help link and say "voila all is fixed", but that would just not have been the case...
Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Passow Sent: Thursday, March 17, 2005 4:13 PM To: salive@woodstone.nu Subject: Re: [SA-list] Security Advisory about Servers Alive Frankly I agree that if you were to secure the server this would not be an issue. However, since the "bug" refers only to the help file and not the creating of the alerts I think (and someone correct me if I am wrong) that by removing the local manual from the service version you would eliminate the issue. If the local manual was still available under the start menu then you would have access as that particular user. Not to say that I don't agree with the comments about securing the server properly. Dirk Bulinckx wrote: >And it's "official" now :-) > >http://www.securityfocus.com/archive/1/393419/2005-03-14/2005-03-20/0 > > >Dirk. > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Mark Bradshaw >Sent: Wednesday, March 16, 2005 7:06 PM >To: salive@woodstone.nu >Subject: RE: [SA-list] Security Advisory about Servers Alive > >Nice. Congratulations on your advisory! > >Mark Bradshaw >Director of Online Services >DREAM3 >http://www.dream3.org/ >(866) 7DREAM3 > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Dirk Bulinckx >Sent: Wednesday, March 16, 2005 11:22 AM >To: salive@woodstone.nu >Subject: RE: [SA-list] Security Advisory about Servers Alive > >I'm not realy worried about it :-) >Somebody told me that a while ago a competitor (of the product that that >person wrote) got a security advisory and suddenly his ranking in google >just went up. Since more pages linked to his site :-) > > >Dirk. > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Mark Bradshaw >Sent: Wednesday, March 16, 2005 1:00 PM >To: salive@woodstone.nu >Subject: RE: [SA-list] Security Advisory about Servers Alive > >I've been there too, Dirk. Don't let it bug you (if it is). I very much >appreciate the security community and the work it does to secure our work, >but there are some that seem a bit overeager to find and announce "bugs". >Goes with the territory I suppose. > >Mark Bradshaw > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Dirk Bulinckx >Sent: Wednesday, March 16, 2005 1:02 AM >To: salive@woodstone.nu >Subject: RE: [SA-list] Security Advisory about Servers Alive > >That's one of those things I told them in our mail conversation but they do >think they have a case...so if they can't resist the glory of making that >advisory, well so be it :-) > > >Dirk. > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Kevin Stone >Sent: Wednesday, March 16, 2005 5:06 AM >To: salive@woodstone.nu >Subject: RE: [SA-list] Security Advisory about Servers Alive > >Given your explanation and having seen similar issues in other programs this >doesn't seem to be an issue specific to SA but more of a limitation in VB. > >I think given the scope of functions in Servers Alive and that many of them >would require Admin privileges anyway this would not seem to be a security >issue but more of an administrative policy issue. > >Also, the fact that SA potentially has admin level access to many >systems(not just localhost) in an organization should be reason enough to >treat it as a sensitive system. > >-Kevin > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Dirk Bulinckx >Sent: Tuesday, March 15, 2005 6:24 PM >To: salive@woodstone.nu >Subject: [SA-list] Security Advisory about Servers Alive > >A couple of week ago we were informed about a security issue in Servers >Alive. We see this issue as not realy a Servers Alive issue but I'll you >decide on it :-) > > > >Synopsis >======== >A privilege-escalation vulnerability exists, allowing a local non-privileged > >user to obtain SYSTEM. > >Discussion >========== >Servers Alive can be run in two modes; as an application or as a service. > When run as a service, the application is permitted to interact with the >desktop and runs under the context of SYSTEM. When loading the 'Local >manual' under help, the application does not drop privileges. >Consequently, it is possible to assume SYSTEM privileges by: > >Viewing the source of the help file, which opens in Notepad. >In Notepad, selecting File, Open. >Launching a system utility such as cmd.exe. > >Impact >====== >Full local compromise of the host on which Servers Alive is installed. > > > > >Based on this info we did some 'research'. > >Our conclusions: >The F1 key is calling the HELP, as developper we CAN NOT control what >exactly is called (except for what help file). VB (Servers Alive is written >in VB) does the calls to the help system of the operating system and does >this within the context of the user running the app/service. This means >that IF a service/app is running with full admin rights, that the help file >is called with those same rights and that IF it's possible to call an >external app from the help system that this app will also be running with >those same rights. Well the help system allows you to run an external app. >Issue in Servers Alive or issue within the help system?? >We could remove the help from the app/service. But then again we would have >to remove all alerts/checks in Servers Alive too since they could also be >running a CMD.EXE (example shown above). >Our only advice is that (as with any system) only authorized personel should >be allowed to access the Servers Alive system. > >This : >" >Running Servers Alive as a Service >When running Servers Alive as a service using the Microsoft Management >Console, you can select the Local System Account option on the Properties >dialog box and click the Allow Service to Interact with Desktop setting. To >run Servers Alive under the system account with desktop interaction, you >should carefully consider an important security issue: Any process started >from within Servers Alive has the same access rights as the system >administrator. > >You must protect the system running Servers Alive by ensuring that only >users with a correct security clearance are allowed to log on to the local >system. > >For example, an administrator installs Servers Alive on a workstation and >configures the software to run as a service, using the system account with >desktop interaction. A non-administrative user can log on to the workstation >and see Servers Alive as an icon in the system tray. The user can open the >Servers Alive Help file and click the View Source command in the Windows >Help viewer. Subsequently, in the Open dialog box, the user can open and run >CMD.exe. The non-administrative user can now run the command line with all >the access rights as the system administrator. >" >Will be added to the help/doc of the next (minor) release of Servers Alive. > > > > > >Dirk. > > > > >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With >the following in the body of the message: > unsubscribe SAlive > > >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With >the following in the body of the message: > unsubscribe SAlive > > > > >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With >the following in the body of the message: > unsubscribe SAlive >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With >the following in the body of the message: > unsubscribe SAlive > > > > >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With >the following in the body of the message: > unsubscribe SAlive >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] >With the following in the body of the message: > unsubscribe SAlive > > > > >To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] >With the following in the body of the message: > unsubscribe SAlive > > > -- Jason Passow Mississippi Welders Supply [EMAIL PROTECTED] ph: (507) 454-5231 fax: (507) 454-8104 To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive
