RE: Local persistent DoS in Windows XP SP2 Taskmgr
A couple of questions... One, there is no "TaskManager" key under HKCU\Software\Microsoft\Windows NT\CurrentVersion in either XP or Vista. And making one, and then adding a null-value "Preferences" REG_BINARY value didn't affect taskmanager at all... Is this specific to the German version of XP or something? And you have to be an administrator to write to the HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport value you reference in the "exploit" code... So, are you saying that if you get the administrator of a box to run your arbitrary code "virus," that you could then write a registry value that makes TaskManager crash, and thus, (since TaskManager won't run) you've "hidden" your process from the user? Why not just load a kernel mode rootkit that hides itself? Or why not do a million other things since you've gotten them to first run code as admin? I mean, it's really kind of silly to make TaskManager crash and tip your hand like that, don't you think? You see, (and this must be 1 million and 12 times said here) if you get someone to run arbitrary code as administration, then, well, it doesn't matter at all what comes after "then." Then, ANYTHING. If the admin runs arbitrary code, nothing matters at all, period. If that's the response you got from MSFT that makes you think they are "totally ignorant," then I guess you can count me among them. t > -Original Message- > From: SkyOut [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2008 12:48 PM > To: bugtraq@securityfocus.com > Subject: Local persistent DoS in Windows XP SP2 Taskmgr > > Dear list, > > after weeks of total ignorance by Microsoft I decided to finally > release all information > related to a bug, that has to do with the Windows XP SP2 Taskmanager. > Manipulating > a Registry key makes it possible to disable the Taskmgr. On the next > startup it will crash with > an error message. It is possible to backup the key and repair the > Registry doing so, but > the attack scenario is clear: A virus uses this code, the user can't > open the Taskmgr anymore > and your process is somehow "hidden". > > The full information about this bug, can be found here: > http://core-security.net/archive/2008/march/index.php#14032008 > > And the exploit is available here: > http://core-security.net/releases/exploits/taskmgr_dos.c.txt > > Greets, > SkyOut > > --- > core-security.net > ---
Re: Local persistent DoS in Windows XP SP2 Taskmgr
SkyOut wrote: [...] Manipulating a Registry key makes it possible to disable the Taskmgr. [...] Hi, SkyOut, I'm afraid I quite don't get the point here. The existence of a registry key which allows to disable the task manager is pretty well known and documented. As a matter of fact I think it's been put in order to allow administrators to further restrict limited users' rights, although this is of course arguable. Why should it be something new? -- La matematica è il tribunale del mondo. Il numero è ordine e disciplina. Ciò con cui si indica lo scopo della scienza tradisce col termine la cosa. L’ordine, già il termine ha qualcosa di bieco che sa di polizia: adombra negli adepti le forze dell’ordine cosmico, i riti cosmici. L’autentico sentimento scientifico è impotente davanti all’universo. L’inflazione che caccia nelle mani dell’individuo in un gesto solo miliardi di marchi, lasciandolo più miserabile di prima, dimostra punto per punto che il denaro è un’allucinazione collettiva. Mathematics is the tribunal of the world. The number is order and discipline. That by means of which one points out the goal of science betrays the thing with the term. Order, the term has already got something bleak that tastes like police: it shadows in the followers the forces of the cosmic order, the cosmic rites. The authentic scientific feeling is impotent before the universe. Devaluation, that shoves in the hands of the citizen in a single movement billions of trade marks, leaving him more miserable than before, proves point by point that money is but a collective hallucination. begin:vcard fn:Charo I. Del Genio n:Del Genio;Charo Ivan org:University of Houston;Department of Physics adr:4800 Calhoun Rd;;617 Science & Research 1;Houston;TX;77004-5005;U.S.A. email;internet:[EMAIL PROTECTED] title:Research assistant tel;work:+1 713-743-3547 tel;home:+1 713-666-9246 tel;cell:+1 713-480-9842 x-mozilla-html:FALSE url:http://phys.uh.edu version:2.1 end:vcard signature.asc Description: OpenPGP digital signature
Local persistent DoS in Windows XP SP2 Taskmgr
Dear list, after weeks of total ignorance by Microsoft I decided to finally release all information related to a bug, that has to do with the Windows XP SP2 Taskmanager. Manipulating a Registry key makes it possible to disable the Taskmgr. On the next startup it will crash with an error message. It is possible to backup the key and repair the Registry doing so, but the attack scenario is clear: A virus uses this code, the user can't open the Taskmgr anymore and your process is somehow "hidden". The full information about this bug, can be found here: http://core-security.net/archive/2008/march/index.php#14032008 And the exploit is available here: http://core-security.net/releases/exploits/taskmgr_dos.c.txt Greets, SkyOut --- core-security.net ---