Just FYI - a quote from recent SANS CVA letter regarding
the matter:
Council Site Actions:
Most of the reporting council sites acknowledged this as a potential
problem, but not one to be overly concerned about at this time. Most
sites will monitor for when a patch is available and then determine
if the patch should be applied. Several council sites stated that
the frequently announced LOCAL/SYSTEM privilege escalation exploits
are one reason why they do not use Windows systems for sensitive
applications within their organizations.
Note the last sentence. :)
As of using this method for getting at Oracle's SGA - well, it *might* work
if you want to go through the burden of injecting the code into some
LocalSystem service's address space and pass control to it, and the code
will then use those ReadProcessMemory() calls to dump Oracle SGA.
No need for this though unless you are determined to crash the system. :)
Since you are in control of the machine, you don't need to elevate your
privileges - you already have those you need. You can just write a simple
dumper or use SoftICE+IceDump to get inside Oracle (though that's gonna
be illegal according to Oracle's license terms.)
--
Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.
"Billy Verreynne" <vslabs_at_onwe.co.za> wrote in message news:ap3ecm$4la$1_at_ctb-nnrp2.saix.net...
> Vladimir M. Zakharychev wrote:
>
> > This is a rather old technique, recently rediscovered and studied by Foon.
> > He claims that Win32 has architectural flaws (unfixable) which may be
> > exploited for privilege escalation with very little skill and effort,
> > using only Windows messaging mechanisms and several APIs that send and
> > process messages. Pretty good essay plus links to Microsoft answers on it,
> > and answers on answers :) can be found here:
> >
> > http://security.tombom.co.uk/shatter.html
>
> Ah.. thanks. But as you say, this is very old hat stuff. It also never has
> been a real problem as it requires your code to be run locally on the
> machine being attacked. In that respect I tend to agree with the Microsoft
> security laws. If you allow a foreign program to execute on your machine,
> then the machine is no longer yours. The whole idea of having guest
> accounts and foreign programs executing on your system is fatally flawed in
> the first place. So is the corporate thing of rolling out "locked desktops"
> to their users (which btw I have running in a little VM inside Linux on
> their so-called locked down desktop).
>
> It does however make theoretical sense to implement a security layer at
> messenging level in the kernel architecture... but there are lot of
> pratical implications and performance issues around it.. which IMO could
> make something like this unpractical. The behaviour of the WM_TIMER message
> is very interesting though...
>
> I think calling it an architectural flaw is pushing it a tad. He does raise
> a few good points though.
>
> As for using this method to read the Oracle SGA, I doubt that it will work.
>
> --
> Billy
Received on Tue Oct 22 2002 - 11:07:08 CDT
