what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

XPracecondition.txt

XPracecondition.txt
Posted Apr 21, 2003
Authored by Matthew Murphy

A race condition exists in Windows XP Service Control Manager Service Shutdown Mechanism when a service shutdown is not correctly completed in a desired time period. Normal users can access open files which may end up with randomly cached data that could contain restricted data. Microsoft has not announce any plans to backport a patch but has announced that this issue will be addressed in Windows Server 2003.

tags | advisory
systems | windows
SHA-256 | 41a02ad828c3ebc0dc61cce406afdab9e7375f885ee18abb77135abf5f1365c2

XPracecondition.txt

Change Mirror Download
Race Condition in Windows XP Service Control Manager Service Shutdown
Mechanism

ABSTRACT

"The Windows XP Professional operating system is the best choice for
businesses of all sizes. Windows XP Professional integrates the strengths of
Windows 2000 Professional, such as standards-based security, manageability,
and reliability, with the best business features of Windows 98 and Windows
Millennium Edition, such as Plug and Play, simplified user interface, and
innovative support services. This combination creates the best desktop
operating system for business. Whether your business deploys Windows XP
Professional on a single computer or throughout a worldwide network, this
new operating system increases your computing power while lowering cost of
ownership for desktop computers."

(http://www.microsoft.com/windowsxp/pro/evaluation/features.asp)

"Windows XP Home Edition gives you the freedom to experience more than you
ever thought possible with your computer and the Internet. This is the
operating system home users have been waiting for-because it offers serious
speed and serious stability, so you can have serious fun."

(http://www.microsoft.com/windowsxp/home/evaluation/overviews/default.asp)

DESCRIPTION

"A service application conforms to the interface rules of the Service
Control Manager (SCM). It can be started automatically at system boot, by a
user through the Services control panel applet, or by an application that
uses the service functions. Services can execute even when no user is logged
on to the system."

(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/ba
se/services.asp&hidetoc=true)

The Service Control Manager dispatches several notifications to service
applications, including notifications of imminent system shutdown. The SCM
reference page contains the following warning:

"The SERVICE_CONTROL_SHUTDOWN control code should only be processed by
services that must absolutely clean up during shutdown, because there is a
limited time (about 20 seconds) available for service shutdown. After this
time expires, system shutdown proceeds regardless of whether service
shutdown is complete. Note that if the system is left in the shutdown state
(not restarted or powered down), the service continues to run.

If the service needs more time to clean up, it should send STOP_PENDING
status messages, along with a wait hint, so the service controller knows how
long to wait before reporting to the system that service shutdown is
complete. However, to prevent a service from stopping shutdown, there is a
limit to how long the service controller will wait. To change this time
limit, modify the WaitToKillServiceTimeout value in the following registry
key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control"

(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/ba
se/services.asp&hidetoc=true)

During system shutdown, a race condition occurs if service shutdown isn't
correctly completed in a desired time period. Specifically, open files may
end up with apparently random cached data at the location of the last file
pointer under the service' control for a given file. The cached data
included files (in my tests) that the given service did not have access to
(running as NT AUTHORITY \ LocalService). The files included in the data
were file contents recently opened by system administrators. The files each
had the following ACLs:

Read Administrators,SYSTEM
Write Administrators,SYSTEM
Execute Administrators,SYSTEM
Full Control Administrators,SYSTEM

The service I observed had contents of some files in the Administrator's
home directory appended to log data. This is an obvious security violation,
but is made worse by the fact that some of these files were readable by
Everyone. By closely monitoring the contents of known service output files
immediately after a system reboot, sensitive information may be disclosed.

ANALYSIS

This vulnerability requires several concurrent factors for successful
exploitation:

* Services with shutdown timing errors (found in a default install)
* Untrusted users with interactive accounts (IUSR_machinename; Terminal
sessions)
* Output files accessible to low-level users (found in a default install)
* Cached files with sensitive system details (incidence varies)

WORKAROUND

There are several workarounds that can be implemented, at various levels, to
eliminate this exposure:

* Service developers

Verify that all services shut down appropriately, and send STOP_PENDING SCM
notifications if the service shutdown will not be complete in a given time
period.

* Perimeter security

As successful exploitation requires an interactive (or otherwise locally
privileged) account, privilege escalation can be prevented by blocking
external access by un-trusted users.

* NTFS ACLs

If output files of known vulnerable services can be protected from reading
by outside parties, any sensitive contents will not be disclosed. For each
such file, set the following ACL:

Read Administrators,SYSTEM
Write [LocalService|NetworkService,]Administrators,SYSTEM
Execute Administrators,SYSTEM
Full Control Administrators,SYSTEM

Systems that are not domain members may be set in a similar manner by
selecting the "Make This Folder Private" checkbox in the properties of any
folder containing potentially sensitive output.

* WaitToKillServiceTimeout Change

Set the service timeout to a larger interval to decrease the likelihood of a
timing error between services and the SCM in the event that services are not
being allotted sufficient time for shutdown. That said, this requires that
the service properly synchronizes STOP_PENDING notifications ahead of the
timeout.

VENDOR RESPONSE

Microsoft was contacted on March 14, 2003. This issue should be eliminated
in the up-coming release of Windows Server 2003. To my knowledge, there are
no plans to backport the fix, presumably due to architectural concerns.

Microsoft's official stance is that sites running mission-critical services
should run the appropriate server operating system (Windows 2000 Server,
Advanced Server, or Datacenter Server), as XP is not designed for these
environments.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close