Windows Vista Power Management & Local Security Policy

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@...]
> Sent: Saturday, July 19, 2008 1:36 AM
> To: 'me@...'; bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> Abe,
>
> Other than a denial-of-service from the console (is the power switch
> now a security vuln, too?), what can you do with this bug?  It's
> absolutely, unquestionably a "bug"; the user should see behavior as
> dictated by logic and described in the documentation, but a "security
> vulnerability"?
>
> I think that's stretching things juuuuuust a bit.
>
> Jim
>
> -----Original Message-----
> From: Abe Getchell [mailto:me@...]
> Sent: Thursday, July 17, 2008 7:39 PM
> To: bugtraq@...
> Subject: Windows Vista Power Management & Local Security Policy
>
> When the security option "Shutdown: Allow system to be shutdown without
> having to log on" (in the local security policy) is set to "Disable",
> and
> the power management setting "When I press the power button" is set to
> "Shut
> Down", it is possible for an unauthenticated user to press the power
> button
> at the Windows logon screen and gracefully shutdown the system. The
> explanation of this security option, taken from the local security
> policy,
> is as follows:
>
> "Shutdown: Allow system to be shut down without having to log on
>
> This security setting determines whether a computer can be shut down
> without
> having to log on to Windows.
>
> When this policy is enabled, the Shut Down command is available on the
> Windows logon screen.
>
> When this policy is disabled, the option to shut down the computer does
> not
> appear on the Windows logon screen. In this case, *users must be able
> to log
> on to the computer successfully and have the Shut down the system user
> right
> before they can perform a system shutdown*.
>
> Default on workstations: Enabled.
> Default on servers: Disabled."
>
> Note the text between the asterisks. While this bug isn't necessarily a
> software flaw allowing for an intrusion into the system in a
> traditional
> sense, it does set a bad precedence in that power management has a free
> pass
> to bypass local security policy and perform actions expressly against
> the
> defined policy. It appears that the only impact the use of this
> security
> option actually has is enabling or disabling the display of the "power
> button" on the Windows logon screen (locally only - this setting has no
> affect on remote desktop connections - the "power button" is not
> displayed
> in either case), not actually preventing anyone from (gracefully)
> shutting
> down the system without logging in.
>
> I reported this to the MSRC on 6/25/2008 and their stance was that this
> wasn't a security vulnerability, but was likely a bug, and was passed
> directly to the product team to investigate through their normal bug
> triage
> process. After some back and forth, there was silence, and I let them
> know I
> was going to release this information to the community.
>
> This was tested on Windows Vista SP1 (32-bit).
>
> --
> Abe Getchell
> me@...
> https://abegetchell.com/
>
>

> -----Original Message-----
> From: Abe Getchell [mailto:me@...]
> Sent: Saturday, July 19, 2008 12:33 AM
> To: 'Jim Harrison'; bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> As stated in my original e-mail to the list, I definitely don't think
> that
> this is a security vulnerability in a traditional sense. I completely
> agree
> with you. Think about it this way... When you press the power button

> there were some way to hook into the stuff that happens, you (as an
> unauthenticated user), could do bad things (besides simply shutting
> down the
> system) using that hook simply by pressing the power button at the
> logon
> screen. For example, if Jim wants to know what Nancy is working on, he
> could
> write a program which e-mails him the contents of her "My Documents"
> folder
> that is triggered by a hook into that process. All Jim needs to do is
> get
> Nancy to run that program on her system (not hard) and walk by her
> office
> when she's not there and hit the power button (also not hard). So what
> can
> _I_ do with this bug? Not much, I'm not that great of a programmer...
> but I
> think someone out there could do some nasty stuff.
>
> --
> Abe Getchell
> me@...
> https://abegetchell.com/
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@...]
> > Sent: Saturday, July 19, 2008 1:36 AM
> > To: 'me@...'; bugtraq@...
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > Abe,
> >
> > Other than a denial-of-service from the console (is the power switch
> > now a security vuln, too?), what can you do with this bug?  It's
> > absolutely, unquestionably a "bug"; the user should see behavior as
> > dictated by logic and described in the documentation, but a

> > vulnerability"?
> >
> > I think that's stretching things juuuuuust a bit.
> >
> > Jim
> >
> > -----Original Message-----
> > From: Abe Getchell [mailto:me@...]
> > Sent: Thursday, July 17, 2008 7:39 PM
> > To: bugtraq@...
> > Subject: Windows Vista Power Management & Local Security Policy
> >
> > When the security option "Shutdown: Allow system to be shutdown
> without
> > having to log on" (in the local security policy) is set to

> > and
> > the power management setting "When I press the power button" is set
> to
> > "Shut
> > Down", it is possible for an unauthenticated user to press the power
> > button
> > at the Windows logon screen and gracefully shutdown the system. The
> > explanation of this security option, taken from the local security
> > policy,
> > is as follows:
> >
> > "Shutdown: Allow system to be shut down without having to log on
> >
> > This security setting determines whether a computer can be shut down
> > without
> > having to log on to Windows.
> >
> > When this policy is enabled, the Shut Down command is available on
> the
> > Windows logon screen.
> >
> > When this policy is disabled, the option to shut down the computer
> does
> > not
> > appear on the Windows logon screen. In this case, *users must be

> > to log
> > on to the computer successfully and have the Shut down the system
> user
> > right
> > before they can perform a system shutdown*.
> >
> > Default on workstations: Enabled.
> > Default on servers: Disabled."
> >
> > Note the text between the asterisks. While this bug isn't

> > the
> > defined policy. It appears that the only impact the use of this
> > security
> > option actually has is enabling or disabling the display of the
> "power
> > button" on the Windows logon screen (locally only - this setting has
> no
> > affect on remote desktop connections - the "power button" is not
> > displayed
> > in either case), not actually preventing anyone from (gracefully)
> > shutting
> > down the system without logging in.
> >
> > I reported this to the MSRC on 6/25/2008 and their stance was that
> this
> > wasn't a security vulnerability, but was likely a bug, and was

> > know I
> > was going to release this information to the community.
> >
> > This was tested on Windows Vista SP1 (32-bit).
> >
> > --
> > Abe Getchell
> > me@...
> > https://abegetchell.com/
> >
> >
>

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@...]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@...; Jim Harrison; bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense?  This is
> the
> one million and fourth time:  "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter.  Period."
>
> t
>
>
>
> > -----Original Message-----
> > From: Abe Getchell [mailto:me@...]
> > Sent: Saturday, July 19, 2008 12:33 AM
> > To: 'Jim Harrison'; bugtraq@...
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > As stated in my original e-mail to the list, I definitely don't think
> > that
> > this is a security vulnerability in a traditional sense. I completely
> > agree
> > with you. Think about it this way... When you press the power button
> on
> > the
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > could
> > write a program which e-mails him the contents of her "My Documents"
> > folder
> > that is triggered by a hook into that process. All Jim needs to do is
> > get
> > Nancy to run that program on her system (not hard) and walk by her
> > office
> > when she's not there and hit the power button (also not hard). So
> what
> > can
> > _I_ do with this bug? Not much, I'm not that great of a programmer...
> > but I
> > think someone out there could do some nasty stuff.
> >
> > --
> > Abe Getchell
> > me@...
> > https://abegetchell.com/
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@...]
> > > Sent: Saturday, July 19, 2008 1:36 AM
> > > To: 'me@...'; bugtraq@...
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > Abe,
> > >
> > > Other than a denial-of-service from the console (is the power
> switch
> > > now a security vuln, too?), what can you do with this bug?  It's
> > > absolutely, unquestionably a "bug"; the user should see behavior as
> > > dictated by logic and described in the documentation, but a
> "security
> > > vulnerability"?
> > >
> > > I think that's stretching things juuuuuust a bit.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@...]
> > > Sent: Thursday, July 17, 2008 7:39 PM
> > > To: bugtraq@...
> > > Subject: Windows Vista Power Management & Local Security Policy
> > >
> > > When the security option "Shutdown: Allow system to be shutdown
> > without
> > > having to log on" (in the local security policy) is set to
> "Disable",
> > > and
> > > the power management setting "When I press the power button" is set
> > to
> > > "Shut
> > > Down", it is possible for an unauthenticated user to press the
> power
> > > button
> > > at the Windows logon screen and gracefully shutdown the system. The
> > > explanation of this security option, taken from the local security
> > > policy,
> > > is as follows:
> > >
> > > "Shutdown: Allow system to be shut down without having to log on
> > >
> > > This security setting determines whether a computer can be shut
> down
> > > without
> > > having to log on to Windows.
> > >
> > > When this policy is enabled, the Shut Down command is available on
> > the
> > > Windows logon screen.
> > >
> > > When this policy is disabled, the option to shut down the computer
> > does
> > > not
> > > appear on the Windows logon screen. In this case, *users must be
> able
> > > to log
> > > on to the computer successfully and have the Shut down the system
> > user
> > > right
> > > before they can perform a system shutdown*.
> > >
> > > Default on workstations: Enabled.
> > > Default on servers: Disabled."
> > >
> > > Note the text between the asterisks. While this bug isn't
> necessarily
> > a
> > > software flaw allowing for an intrusion into the system in a
> > > traditional
> > > sense, it does set a bad precedence in that power management has a
> > free
> > > pass
> > > to bypass local security policy and perform actions expressly
> against
> > > the
> > > defined policy. It appears that the only impact the use of this
> > > security
> > > option actually has is enabling or disabling the display of the
> > "power
> > > button" on the Windows logon screen (locally only - this setting
> has
> > no
> > > affect on remote desktop connections - the "power button" is not
> > > displayed
> > > in either case), not actually preventing anyone from (gracefully)
> > > shutting
> > > down the system without logging in.
> > >
> > > I reported this to the MSRC on 6/25/2008 and their stance was that
> > this
> > > wasn't a security vulnerability, but was likely a bug, and was
> passed
> > > directly to the product team to investigate through their normal
> bug
> > > triage
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me@...
> > > https://abegetchell.com/
> > >
> > >
> >

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@...]
> Sent: Saturday, July 19, 2008 6:20 PM
> To: me@...; Jim Harrison; bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense?  This is
> the
> one million and fourth time:  "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter.  Period."
>
> t
>
>
>
> > -----Original Message-----
> > From: Abe Getchell [mailto:me@...]
> > Sent: Saturday, July 19, 2008 12:33 AM
> > To: 'Jim Harrison'; bugtraq@...
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > As stated in my original e-mail to the list, I definitely don't think
> > that
> > this is a security vulnerability in a traditional sense. I completely
> > agree
> > with you. Think about it this way... When you press the power button
> on
> > the
> > machine and it performs a graceful shutdown, stuff happens inside of
> > the
> > operating system. That stuff happens at an elevated privilege level.
> If
> > there were some way to hook into the stuff that happens, you (as an
> > unauthenticated user), could do bad things (besides simply shutting
> > down the
> > system) using that hook simply by pressing the power button at the
> > logon
> > screen. For example, if Jim wants to know what Nancy is working on,
> he
> > could
> > write a program which e-mails him the contents of her "My Documents"
> > folder
> > that is triggered by a hook into that process. All Jim needs to do is
> > get
> > Nancy to run that program on her system (not hard) and walk by her
> > office
> > when she's not there and hit the power button (also not hard). So
> what
> > can
> > _I_ do with this bug? Not much, I'm not that great of a programmer...
> > but I
> > think someone out there could do some nasty stuff.
> >
> > --
> > Abe Getchell
> > me@...
> > https://abegetchell.com/
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@...]
> > > Sent: Saturday, July 19, 2008 1:36 AM
> > > To: 'me@...'; bugtraq@...
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > Abe,
> > >
> > > Other than a denial-of-service from the console (is the power
> switch
> > > now a security vuln, too?), what can you do with this bug?  It's
> > > absolutely, unquestionably a "bug"; the user should see behavior as
> > > dictated by logic and described in the documentation, but a
> "security
> > > vulnerability"?
> > >
> > > I think that's stretching things juuuuuust a bit.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@...]
> > > Sent: Thursday, July 17, 2008 7:39 PM
> > > To: bugtraq@...
> > > Subject: Windows Vista Power Management & Local Security Policy
> > >
> > > When the security option "Shutdown: Allow system to be shutdown
> > without
> > > having to log on" (in the local security policy) is set to
> "Disable",
> > > and
> > > the power management setting "When I press the power button" is set
> > to
> > > "Shut
> > > Down", it is possible for an unauthenticated user to press the
> power
> > > button
> > > at the Windows logon screen and gracefully shutdown the system. The
> > > explanation of this security option, taken from the local security
> > > policy,
> > > is as follows:
> > >
> > > "Shutdown: Allow system to be shut down without having to log on
> > >
> > > This security setting determines whether a computer can be shut
> down
> > > without
> > > having to log on to Windows.
> > >
> > > When this policy is enabled, the Shut Down command is available on
> > the
> > > Windows logon screen.
> > >
> > > When this policy is disabled, the option to shut down the computer
> > does
> > > not
> > > appear on the Windows logon screen. In this case, *users must be
> able
> > > to log
> > > on to the computer successfully and have the Shut down the system
> > user
> > > right
> > > before they can perform a system shutdown*.
> > >
> > > Default on workstations: Enabled.
> > > Default on servers: Disabled."
> > >
> > > Note the text between the asterisks. While this bug isn't
> necessarily
> > a
> > > software flaw allowing for an intrusion into the system in a
> > > traditional
> > > sense, it does set a bad precedence in that power management has a
> > free
> > > pass
> > > to bypass local security policy and perform actions expressly
> against
> > > the
> > > defined policy. It appears that the only impact the use of this
> > > security
> > > option actually has is enabling or disabling the display of the
> > "power
> > > button" on the Windows logon screen (locally only - this setting
> has
> > no
> > > affect on remote desktop connections - the "power button" is not
> > > displayed
> > > in either case), not actually preventing anyone from (gracefully)
> > > shutting
> > > down the system without logging in.
> > >
> > > I reported this to the MSRC on 6/25/2008 and their stance was that
> > this
> > > wasn't a security vulnerability, but was likely a bug, and was
> passed
> > > directly to the product team to investigate through their normal
> bug
> > > triage
> > > process. After some back and forth, there was silence, and I let
> them
> > > know I
> > > was going to release this information to the community.
> > >
> > > This was tested on Windows Vista SP1 (32-bit).
> > >
> > > --
> > > Abe Getchell
> > > me@...
> > > https://abegetchell.com/
> > >
> > >
> >

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@...]
> Sent: Sunday, July 20, 2008 4:33 PM
> To: 'me@...'; 'Thor (Hammer of God)'; 'Johan Beisser'
> Cc: bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
> (not imagined) functionality & security
> 2. unless this provides some exploit that doesn't start with "if I can
> install software on the host", it's not more than "a bug in a security
> mechanism"
>
> If someone can demonstrate an actual vulnerability or exploit on the
> basis of this bug _alone_, then they may have something to make noise
> about.  There are enough real bugs and security vulns in software to
> deal with.  Not every security issue spells doom and damnation or
> warrants immediate corrective response from the vendor.
>
> Jim
>
> -----Original Message-----
> From: Abe Getchell [mailto:me@...]
> Sent: Sunday, July 20, 2008 12:32 PM
> To: 'Thor (Hammer of God)'; Jim Harrison; 'Johan Beisser'
> Cc: bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> So, you guys don't think it's an issue that power management in Vista
> (apparently) has a pass to bypass local security policy?
>
> --
> Abe Getchell
> me@...
> https://abegetchell.com/
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@...]
> > Sent: Saturday, July 19, 2008 6:20 PM
> > To: me@...; Jim Harrison; bugtraq@...
> > Subject: RE: Windows Vista Power Management & Local Security Policy
> >
> > If Jim is going to get Nancy to run a program, and that's "not all
> that
> > hard," then why not just have that program do what you want in the
> > first
> > place rather than worrying about the power switch nonsense?  This is
> > the
> > one million and fourth time:  "If your 'vulnerability' begins with
> 'if
> > I
> > can get the user to run code' then whatever comes after the 'then'
> > doesn't matter.  Period."
> >
> > t
> >
> >
> >
> > > -----Original Message-----
> > > From: Abe Getchell [mailto:me@...]
> > > Sent: Saturday, July 19, 2008 12:33 AM
> > > To: 'Jim Harrison'; bugtraq@...
> > > Subject: RE: Windows Vista Power Management & Local Security Policy
> > >
> > > As stated in my original e-mail to the list, I definitely don't
> think
> > > that
> > > this is a security vulnerability in a traditional sense. I
> completely
> > > agree
> > > with you. Think about it this way... When you press the power
> button
> > on
> > > the
> > > machine and it performs a graceful shutdown, stuff happens inside
> of
> > > the
> > > operating system. That stuff happens at an elevated privilege
> level.
> > If
> > > there were some way to hook into the stuff that happens, you (as an
> > > unauthenticated user), could do bad things (besides simply shutting
> > > down the
> > > system) using that hook simply by pressing the power button at the
> > > logon
> > > screen. For example, if Jim wants to know what Nancy is working on,
> > he
> > > could
> > > write a program which e-mails him the contents of her "My
> Documents"
> > > folder
> > > that is triggered by a hook into that process. All Jim needs to do
> is
> > > get
> > > Nancy to run that program on her system (not hard) and walk by her
> > > office
> > > when she's not there and hit the power button (also not hard). So
> > what
> > > can
> > > _I_ do with this bug? Not much, I'm not that great of a
> programmer...
> > > but I
> > > think someone out there could do some nasty stuff.
> > >
> > > --
> > > Abe Getchell
> > > me@...
> > > https://abegetchell.com/
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@...]
> > > > Sent: Saturday, July 19, 2008 1:36 AM
> > > > To: 'me@...'; bugtraq@...
> > > > Subject: RE: Windows Vista Power Management & Local Security
> Policy
> > > >
> > > > Abe,
> > > >
> > > > Other than a denial-of-service from the console (is the power
> > switch
> > > > now a security vuln, too?), what can you do with this bug?  It's
> > > > absolutely, unquestionably a "bug"; the user should see behavior
> as
> > > > dictated by logic and described in the documentation, but a
> > "security
> > > > vulnerability"?
> > > >
> > > > I think that's stretching things juuuuuust a bit.
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: Abe Getchell [mailto:me@...]
> > > > Sent: Thursday, July 17, 2008 7:39 PM
> > > > To: bugtraq@...
> > > > Subject: Windows Vista Power Management & Local Security Policy
> > > >
> > > > When the security option "Shutdown: Allow system to be shutdown
> > > without
> > > > having to log on" (in the local security policy) is set to
> > "Disable",
> > > > and
> > > > the power management setting "When I press the power button" is
> set
> > > to
> > > > "Shut
> > > > Down", it is possible for an unauthenticated user to press the
> > power
> > > > button
> > > > at the Windows logon screen and gracefully shutdown the system.
> The
> > > > explanation of this security option, taken from the local
> security
> > > > policy,
> > > > is as follows:
> > > >
> > > > "Shutdown: Allow system to be shut down without having to log on
> > > >
> > > > This security setting determines whether a computer can be shut
> > down
> > > > without
> > > > having to log on to Windows.
> > > >
> > > > When this policy is enabled, the Shut Down command is available
> on
> > > the
> > > > Windows logon screen.
> > > >
> > > > When this policy is disabled, the option to shut down the
> computer
> > > does
> > > > not
> > > > appear on the Windows logon screen. In this case, *users must be
> > able
> > > > to log
> > > > on to the computer successfully and have the Shut down the system
> > > user
> > > > right
> > > > before they can perform a system shutdown*.
> > > >
> > > > Default on workstations: Enabled.
> > > > Default on servers: Disabled."
> > > >
> > > > Note the text between the asterisks. While this bug isn't
> > necessarily
> > > a
> > > > software flaw allowing for an intrusion into the system in a
> > > > traditional
> > > > sense, it does set a bad precedence in that power management has
> a
> > > free
> > > > pass
> > > > to bypass local security policy and perform actions expressly
> > against
> > > > the
> > > > defined policy. It appears that the only impact the use of this
> > > > security
> > > > option actually has is enabling or disabling the display of the
> > > "power
> > > > button" on the Windows logon screen (locally only - this setting
> > has
> > > no
> > > > affect on remote desktop connections - the "power button" is not
> > > > displayed
> > > > in either case), not actually preventing anyone from (gracefully)
> > > > shutting
> > > > down the system without logging in.
> > > >
> > > > I reported this to the MSRC on 6/25/2008 and their stance was
> that
> > > this
> > > > wasn't a security vulnerability, but was likely a bug, and was
> > passed
> > > > directly to the product team to investigate through their normal
> > bug
> > > > triage
> > > > process. After some back and forth, there was silence, and I let
> > them
> > > > know I
> > > > was going to release this information to the community.
> > > >
> > > > This was tested on Windows Vista SP1 (32-bit).
> > > >
> > > > --
> > > > Abe Getchell
> > > > me@...
> > > > https://abegetchell.com/
> > > >
> > > >
> > >
>
>

> -----Original Message-----
> From: James C. Slora Jr. [mailto:james.slora@...]
> Sent: Tuesday, July 22, 2008 11:15 AM
> To: bugtraq@...
> Subject: RE: Windows Vista Power Management & Local Security Policy
>
> So is this the bottom line?
>
> This is a security mechanism bug that might lead to privilege
> escalation
> for arbitrary user processes. The OP has left it for others to
> determine
> exploitability.
>