May 16th, 2008

If users can shut down the machine, it's not a security hole if they can shut down the machine

One great way to come up with a dubious security vulnerability is to take something completely innocuous and wrap it inside layer upon layer of obfuscation, and then you proclaim that the obfuscation is the vulnerability. Here’s an example based on an actual dubious vulnerability report:

Title: Native NT application can shut down computer

Description: I have written this native NT application which bypasses the Win32 layer and talks directly to the low-level native NT functions. By calling various native NT functions, I can cause a dialog box to appear which includes a Shut Down button that shuts down the computer if the user clicks on it.

Well, sure, you can go through all that to shut down the computer. Or you can save yourself all the hassle and just call ExitWindowsEx. You see, that dialog box you found includes a “Shut Down” button only if the user that ran it has permission to shut down the computer in the first place. It is not a security vulnerability that users with permission to shut down the computer can shut down the computer.

This is another example of people getting excited that they were able to do something unusual. But just because you can do something unusual doesn’t mean that you’ve found a security vulnerability.

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.