How to enable Memory protection between different processes of one account?

How to enable Memory protection between different processes of one account?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to enable Memory protection between different processes of one account? Jan Peter Stotz 04-30-2006
Posted by Jan Peter Stotz on April 30, 2006, 6:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi.

A fact which is unknown by most windows users is that windows does not
enforce memory protection between different process of one account. The
virtual address spaces of each process only prevent a process from
accidental reading or altering memory of a different process. But there are
two API-functions ReadProcessMemory() and WriteProcessMemory() which allow
to read and modify memory of any process which runs under the same account.
The interesting (or better disturbing) in these two functions is that you
do not need administrative privileges to call them. Even a process started
as restricted process can read/modify memory of other restricted process of
the same user!

Imagine: With these functions you can easily read passwords and other
secret information from other processes or even better modify the memory
and alter the content of windows, dialogs or any other displayed text.

Does anybody know a way to close this IMHO serious security problem of
windows, which exists in all current windows versions (95 to 2003)?

Jan

Posted by Alun Jones on May 1, 2006, 8:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Jan Peter Stotz wrote:
> Imagine: With these functions you can easily read passwords and other
> secret information from other processes or even better modify the
> memory and alter the content of windows, dialogs or any other
> displayed text.

Imagine: Without these functions, you could just as easily do the same, by a
number of different techniques.

> Does anybody know a way to close this IMHO serious security problem of
> windows, which exists in all current windows versions (95 to 2003)?

No. The fact is that there is not designed to be any security boundary
between processes running in the same user context, because they are assumed
to be under the control of the same user.

There is no problem here.

The security boundary you are looking for is before the user gets to run bad
code, not after. After the user has run bad code, that bad code has access
to anything the user has access to - with or without these functions.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.



Posted by Jan Peter Stotz on May 2, 2006, 2:09 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Alun Jones wrote:

> Jan Peter Stotz wrote:
>> Imagine: With these functions you can easily read passwords and other
>> secret information from other processes or even better modify the
>> memory and alter the content of windows, dialogs or any other
>> displayed text.
>
> Imagine: Without these functions, you could just as easily do the same, by a
> number of different techniques.

You arouse my curiosity. Which "different techniques" do you mean?

>> Does anybody know a way to close this IMHO serious security problem of
>> windows, which exists in all current windows versions (95 to 2003)?
>
> No. The fact is that there is not designed to be any security boundary
> between processes running in the same user context, because they are assumed
> to be under the control of the same user.

Hmm - Which user is really able to control what a process/program does,
when it is running?

> The security boundary you are looking for is before the user gets to run bad
> code, not after.

How do you decide what is bad code and what is good code. Windows is an
"open platform" - on of it's main advantage is that you are not restricted
in any form which windows-program you can run on your system. From such an
open system I expect to protect the different programs from each other as
best as possible.

> After the user has run bad code, that bad code has access
> to anything the user has access to - with or without these functions.

My question is: Does a user really need raw access to the processes memory?

If you have a function which is usually not needed but can be used for
several attacks against other programs - why not disable it or make it only
accessible if the user has special privileges (as it is implemented for
other debugging-functions)?

Jan

Posted by Alun Jones on May 9, 2006, 7:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Jan Peter Stotz wrote:
> Alun Jones wrote:
>
>> Jan Peter Stotz wrote:
>>> Imagine: With these functions you can easily read passwords and
>>> other secret information from other processes or even better modify
>>> the memory and alter the content of windows, dialogs or any other
>>> displayed text.
>>
>> Imagine: Without these functions, you could just as easily do the
>> same, by a number of different techniques.
>
> You arouse my curiosity. Which "different techniques" do you mean?

Installing hooks into Windows, adding shell extensions.

The important thing to realise is that, by design, the user's security
context is the security barrier. Not the process.

>>> Does anybody know a way to close this IMHO serious security problem
>>> of windows, which exists in all current windows versions (95 to
>>> 2003)?
>>
>> No. The fact is that there is not designed to be any security
>> boundary between processes running in the same user context, because
>> they are assumed to be under the control of the same user.
>
> Hmm - Which user is really able to control what a process/program
> does, when it is running?

If that's your attitude, then give up, because you can't trust the OS
vendor, or the guys who wrote the apps you use.

>> After the user has run bad code, that bad code has access
>> to anything the user has access to - with or without these functions.
>
> My question is: Does a user really need raw access to the processes
> memory?

Sure - how else do you debug a process?

> If you have a function which is usually not needed but can be used for
> several attacks against other programs - why not disable it or make
> it only accessible if the user has special privileges (as it is
> implemented for other debugging-functions)?

The SeDebugPrivilege, if that's what you're describing, is for injecting
code and inspecting execution and data in processes _outside_ of your
security clearance.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.



Posted by Jan Peter Stotz on May 13, 2006, 5:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Alun Jones schrieb:

>>> Imagine: Without these functions, you could just as easily do the
>>> same, by a number of different techniques.
>>
>> You arouse my curiosity. Which "different techniques" do you mean?
>
> Installing hooks into Windows,

Ok that would be difficult without.

> adding shell extensions.

Sorry, but in that point I do not agree. Shell-Extension for the
Windows-Explorer are DLLs wich are loaded by the explorer. This means the
code runs in the same process environment which the explorer data it
accesses and therefore there is no need to access the memory via
ReadProcessMemory().

>> My question is: Does a user really need raw access to the processes
>> memory?
>
> Sure - how else do you debug a process?

As user? Never.
As Administrator with elevated privileges? As often as I want.

Jan

Similar ThreadsPosted
How to enable Auditing to trace who disabled user's account. January 20, 2006, 12:05 pm
grant an user the ability to enable/disable account April 5, 2006, 3:21 pm
unknown processes???? June 28, 2005, 4:48 pm
Suspicious processes!!!! September 15, 2005, 10:28 pm
pass username/password between processes November 1, 2005, 2:50 am
rights to execute remote processes March 28, 2007, 7:58 am
Access to "Show processes from all users" in task manager October 27, 2005, 3:09 am
Hide system processes monitoring to remote computers under XP November 7, 2007, 6:19 am
Should I enable TLS 1.0? October 27, 2006, 7:38 pm
GPO Enable Volume Icon in Systray March 23, 2006, 9:40 am

The site map in XML format XML site map

Contact Us | Privacy Policy