Had a good time investigating this:
OpenType Font File causes Windows to crash.
Microsoft hasn’t acknowledged the bug’s presence, nor have they issued a fix. So right now, if you’re running Win2K or XP, you’re vulnerable. In my case I was able to lock up a Win2K machine so badly that it refused to ever boot again, claiming that some device driver was missing or corrupted.
Whee! Go Microsoft.
Update: (08/25/2003) This is repaired in Windows 2000 Service Pack 4. I can’t speak for XP.
Someone in ;login: magazine a few issues back talked about the proliferation of poorly-configured Linux boxes, and how the volume of these will eventually outstrip the quantity of poorly-configured Windows boxes as Linux increases in popularity. The notion that Linux is more secure than Windows falls apart when you have clueless users who willfully follow directions like those listed on Ximian‘s website to install Ximian Desktop 2.0:
There is nothing to download first, just follow the instructions below.
<snip>
- Open a terminal window.
- Using the su command, become superuser (root).
- Type the following command or cut and paste it into your terminal: wget -q -O - http://go.ximian.com |sh
Great job, Ximian. Encourage people to download a shell script, as root, and blindly execute it — no MD5 sanity check, nothing. I mean, it makes me want to compromise go.ximian.com and replace the index page with a text file containing “rm -rf /”. It’s also fabulous that they advocate using the -q (quiet) switch with wget, so that I could now hack the httpd.conf to send a redirect to my own website, which could provide a text file containing “rm -rf /” — and the 302 Temporarily Moved code would NEVER be seen by the user.
What is wrong with these people? Isn’t it blazingly obvious that this is a stupid thing to do?
At work we’ve been trying out a wonderful tool from Dave Aitel of Immunity Security called SPIKE. I haven’t tried to actually use SPIKE to generate any DCE RPC calls that would actually cause a Windows box to detonate, but partly it’s because that’s not really my job; I don’t detect the vulnerabilities, I just reproduce them. Also I really don’t give two hoots about Windows and I really couldn’t be bothered to go out there, attach a debugger to something like lsass.exe and see what fails.
Still, SPIKE seems to be a great tool if that (deciphering obscure and complex protocols) is your cup of tea. I’ll spare you the lecture on how shitty Microsoft’s protocols are, except that if you ever analyze a conversation between a bunch of Windows boxes using something like Ethereal, you’ll see how there is very nearly a status flag for everything. Clearly, protocols like LSA over DCE-RPC over SMB over NetBIOS < !!!!> were never clearly thought out by anyone, and this is the result. I joked to a colleague that the only reason we need 100Mbps Ethernet is to carry around all this excess Microsoft baggage whenever Windows boxes need to talk to each other. Honestly, Windows boxes are just as chatty as Netware machines running IPX. All you really have to do is capture the traffic on a Microsoft LAN that’s destined to the broadcast address, and you can glean an incredible amount of information.
Go get SPIKE here and enjoy yourself. (Warning: We had problems compiling under GCC 3.x. Stick to 2.x for now; 2.95.3 seemed a good choice.)
© 2003-2012 Julian C. Dunn.