[Dshield] WMF - SETABORTPROC alarms
bschnzl at cotse.net
Mon Jan 2 07:10:20 GMT 2006
I would like to examine the relative risk involved with the WMF -
SETABORTPROC (heretofore "WMF") issue. Setting aside responsible
disclosure issues, I believe the vulnerability is not as pressing as
others in the past. Resources used in testing the "unofficial" patch
are better used elsewhere. Insight from replies will guide my
response to this disclosure.
Here is my analysis of the disclosure. The potential for
automatic exploit is low. If one limits user shell activity on
critical machines properly, exposure is reduced, and native recovery
platforms remain available. The exploit renders privilege in the
current security context, requiring additional functionality to
perform administrative level functions. As well, limiting NetBIOS
connections across network boundaries removes the largest exposure.
Best Practices already indicate more controlled environments for Road
Warriors, increasing this risk only marginally.
The vulnerability requires the opening of a graphic file. This is
decidedly a user function. Windows Explorer will do this to every
file in opened directories, but the user has to open the directory.
Thus, the speed with which any malware will travel through a network
is reduced below that of the Nimda and Zotob worms, for instance.
Those with access to critical machines are more likely to know
that reading your personal mail on a server is not recommended.
While browsing the web is certainly doable on a windows server,
hopefully administrators know that is not a good idea. Generally,
these users have better ideas of how they will do things when they
start pushing the mouse around. With more deliberate action paths
comes less risk, in this case especially.
This exploit compromises the user's account only. Hopefully users
are limited in what they can do to their physical workstations.
Certainly they should be limited to how they can make changes on the
server. While any compromise is dangerous, real system damage
requires another attack in this case. That gives those who practice
defense-in-depth another opportunity to detect the intrusion. Again,
it could be worse.
In this day and age, most of us know that allowing NetBIOS to the
open internet is asking for trouble. In the case of a file finding
its way on to shared drive spaces still only infects the workstations
that open it. The server that hosts that file can be cleaned from a
command line. As well, in the case of older variants, the server
provides a second chance at detection.
Road warriors remain a problem, but this particular issue does not
increase the risk as much as simply connecting to uncontrolled
networks. The connection risk indicates increased education effort,
and quarantine procedures. These steps provide momentum toward
handling any compromise along this vector. I feel justified in
listing this as a marginal increase in risk.
While my own experience is that few networks practice the above
steps in a comprehensive way, much progress has been made. Today's
networks are much more resistant to this sort of vulnerability than
just a year ago. Some networks have been compromised by using this
exploit. Fewer still will notice. That responsibility rests
squarely on the management and administrators of each network. With
that level of resources applied, I find it hard to recommend an
Your thoughts are appreciated. Please include my address on the
to line for replies.
Bill Scherr, IV GSEC, GCIA
Key fingerprint = 4687 DEB0 E772 B94F 383E 8CB2 F2FC A46D A4A2 DC71
uid Bill Scherr IV <bschnzl at cotse.net>
More information about the list