That is a nice password you have, would be a shame if you installed this theme
-
-
@Dragoon Something about an airtight hatch...
-
@HardwareGeek
Not sure how airtight the hatch really is, since just installing the theme pack that pulls its wallpaper from an arbitrary URL will result in your NTLM hash being sent to that server (if the server is configured accordingly). Hard to say you opted into sending your credentials just because someone installed a themepack in your profile.
-
@izzion said in That is a nice password you have, would be a shame if you installed this theme:
Hard to say you opted into sending your credentials just because someone installed a themepack in your profile.
Certainly not knowingly, no. But presumably the someone who installed the theme was you, and anything you install is on the vulnerable side of the hatch, airtight or not.
-
Sounds like
is NTLM authentication.Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication.
When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password.
In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.
In a test previously done by BleepingComputer, dehashing an easy password took approximately 4 seconds to crack!
-
@error said in That is a nice password you have, would be a shame if you installed this theme:
Sounds like
is NTLM authentication.I'm pretty sure that's been discussed here previously. Windows will try to use the local machine/network credentials to log into a remote server, even when it's in a completely unrelated domain. Or something like that.
-
@error quoted in That is a nice password you have, would be a shame if you installed this theme:
Windows will automatically try to login to the remote system
That there is the wrong thing, the bit that is an absolute total fuck up of the worst kind.
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
@error quoted in That is a nice password you have, would be a shame if you installed this theme:
Windows will automatically try to login to the remote system
That there is the wrong thing, the bit that is an absolute total fuck up of the worst kind.
It would be mitigated somewhat if it was a challenge-response system rather than the client giving a hash which can then be dictionary attacked.
Edit: or a Kerberos ticket
-
@dkf I should note that the issue is sending credentials for one security domain to another security domain. There's literally no reason why that should ever be done. If the client has stored credentials for a particular domain, sending them to that domain is fine. However, if the client can't determine if two domains are the same then it should assume that they are not. That is the safe option.
-
@error said in That is a nice password you have, would be a shame if you installed this theme:
It would be mitigated somewhat if it was a challenge-response system rather than the client giving a hash which can then be dictionary attacked.
There are many ways to mitigate it, but the core problem is giving the information to the attacker in the first place. Seriously. Whoever thought that this design was a good plan must've really been off their rocks on something best kept prescription-only.
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
giving the information to the attacker in the first place.
That's what I mean, though. Sending the NTLM hash is tantamount to sending the password. WhyTF would you send that information when logging in to a remote system without a verified identity?
-
Wasn't there, a few years ago, an identical fuck-up with .scf files and Explorer fetching their icon the same way?
-
@Medinoc Wouldn't surprise me. The problem is that they didn't think “what was the security fuckup really?” and instead just patched over this special case. Or maybe they have a major customer somewhere that needs things broken in this way (in which case
).
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
Or maybe they have a major customer somewhere that needs things broken in this way
Yes, that's exactly it. It's been explained before.
in which case
ITYM
-
Filed under: Oh damn someone found that old new thing again...
-
@HardwareGeek Yeah that's Windows' solution to everything. Require admin. Then we don't have to worry about designing secure systems, because we have the hatch™.
Guess what happens when everything requires admin. Everything gets admin. And when everything is on that side of the hatch, the hatch becomes useless.
Edit: funnily enough, this doesn't actually apply in this case... oh well, it's already written.
-
@Medinoc It was the same problem with the Zoom desktop application recently. You could click on a //servername/file link and it would open that link in explorer.exe, which would send the credentials to that server.
Obviously Zoom wasn't the problem there and themes aren't the problem here.
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
There are many ways to mitigate it, but the core problem is giving the information to the attacker in the first place. Seriously. Whoever thought that this design was a good plan must've really been off their rocks on something best kept prescription-only.
-
@HardwareGeek said in That is a nice password you have, would be a shame if you installed this theme:
@Dragoon Something about an airtight hatch...
Where is that hatch?
This isn't one of these "you got tricked into running an arbitrary binary which then used a clever hack to run arbitrary code" situations.
The theme files in the article look like plain text ini files, and afaict you don't need special privileges to change wallpapers. So this feels rather like "if you open this XML file in IE you get owned" than anything involving actually requiring privileges to begin with.
-
@anonymous234 said in That is a nice password you have, would be a shame if you installed this theme:
Obviously Zoom wasn't the problem there and themes aren't the problem here.
The problem is that somewhere in the low level gunk under Explorer is a colossal
in credential handling. The decision of which set of credentials (if any) to send to a specific server when calling it is rather important, and yet it keeps going wrong in this critical part of Microsoft's system. That indicates that they've done something very unwise.If they've got clients who need this (
) then they should at least require those clients to do something special to work that way.
-
@error said in That is a nice password you have, would be a shame if you installed this theme:
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
giving the information to the attacker in the first place.
That's what I mean, though. Sending the NTLM hash is tantamount to sending the password. WhyTF would you send that information when logging in to a remote system without a verified identity?
Historical reasons? It used to send a plaintext password if the server was using SMB1 only, but that's now off by default. You can still re-enable sending plain-text passwords to random SMB1 servers, if you like. I think it's a setting in the Registry.
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
There are many ways to mitigate it, but the core problem is giving the information to the attacker in the first place. Seriously. Whoever thought that this design was a good plan must've really been off their rocks on something best kept prescription-only.
Don’t forget this comes from the same company that used to give all users admin privileges even on systems that could have them restricted; that thought automatically executing scripts in word processor documents, spreadsheets and even emails is a useful feature; that saw no problems in having a web browser be extensible from the server side with full system access on the client side; that let drives auto-run executable files immediately upon being mounted; etc. etc.
-
@Gurth They've got a nicely secure OS kernel, and brag about it. But userland on top is a catastrophe.
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
@Gurth They've got a nicely secure OS kernel, and brag about it. But userland on top is a catastrophe.
The nicely secure OS kernel that renders all fonts? The one that's been patched at least six times against code execution by exploiting Adobe fonts? That secure kernel?
-
@acrow That's the puppy. Don't worry. The font renderer also needs the firewall operational…
-
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
I should note that the issue is sending credentials for one security domain to another security domain. There's literally no reason why that should ever be done
Yes, quite.
Automatically attempting to log me in to secured servers on my company intranet using my Windows credentials is fine, and is really useful because it means I don't have to enter those credentials. That's clearly the use case that this behaviour is targeted at.
But automatically sending a credential set to a different domain is a massive
. Even if I want SSO behaviour with that domain (which maybe I do - let's say my company uses Atlassian's cloud hosted services, it is nice if I can auto log in to that), the credentials will be different anyway. And I should have to whitelist domains where I want this to happen - if I accidentally click on a link to dubious-hax.ru I don't want my system to automatically try to log me in there.
-
@bobjanova said in That is a nice password you have, would be a shame if you installed this theme:
But automatically sending a credential set to a different domain is a massive
. Even if I want SSO behaviour with that domain (which maybe I do - let's say my company uses Atlassian's cloud hosted services, it is nice if I can auto log in to that), the credentials will be different anyway. And I should have to whitelist domains where I want this to happen - if I accidentally click on a link to dubious-hax.ru I don't want my system to automatically try to log me in there.Such whitelisting could even be done via the domain controllers. If you've got servers that are experts on what systems are in the domain, they bloody well ought to be able to answer the question “should I send my credentials to this other system?” (and you'd be able to cache the answer for a while, so the load wouldn't be too bad). On singleton systems, the current domain can only safely be the current computer. There can also be explicit credentials for other systems outside the domain, of course, but those would be not shared with other external systems: exact name match only.
It wouldn't stop people from doing moronic things (if the user decides to deliberately give their password to
evilhax.ruthat's not a tech fail, and if someone configures the domain controller badly that's their own damn fault) but would at least wouldn't fuck things up at the first hurdle.
-
@acrow said in That is a nice password you have, would be a shame if you installed this theme:
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
@Gurth They've got a nicely secure OS kernel, and brag about it. But userland on top is a catastrophe.
The nicely secure OS kernel that renders all fonts? The one that's been patched at least six times against code execution by exploiting Adobe fonts? That secure kernel?
That's not an OS problem; it's a C language problem. The same exploit would work on any OS using Adobe's code.
-
@Mason_Wheeler said in That is a nice password you have, would be a shame if you installed this theme:
@acrow said in That is a nice password you have, would be a shame if you installed this theme:
@dkf said in That is a nice password you have, would be a shame if you installed this theme:
@Gurth They've got a nicely secure OS kernel, and brag about it. But userland on top is a catastrophe.
The nicely secure OS kernel that renders all fonts? The one that's been patched at least six times against code execution by exploiting Adobe fonts? That secure kernel?
That's not an OS problem; it's a C language problem. The same exploit would work on any OS using Adobe's code.
It’s an OS problem that font rendering is in the kernel in the first place.
-
@topspin It's an engineering tradeoff. If you put it in user space, then every text operation needs to cross the userspace/kernel boundary, possibly multiple times, to get rendered, leading to potentially huge performance hits.
-
@Mason_Wheeler so is using C.
-
@Gurth said in That is a nice password you have, would be a shame if you installed this theme:
that thought automatically executing scripts in word processor documents, spreadsheets and even emails is a useful feature;
It is a useful feature. It's just also a dangerous feature like so many other useful features.
-
@boomzilla said in That is a nice password you have, would be a shame if you installed this theme:
@Gurth said in That is a nice password you have, would be a shame if you installed this theme:
that thought automatically executing scripts in word processor documents, spreadsheets and even emails is a useful feature;
It is a useful feature. It's just also a dangerous feature like so many other useful features.
It's also useful to people you'd prefer not be able to use it.
-
@HardwareGeek said in That is a nice password you have, would be a shame if you installed this theme:
@boomzilla said in That is a nice password you have, would be a shame if you installed this theme:
@Gurth said in That is a nice password you have, would be a shame if you installed this theme:
that thought automatically executing scripts in word processor documents, spreadsheets and even emails is a useful feature;
It is a useful feature. It's just also a dangerous feature like so many other useful features.
It's also useful to people you'd prefer not be able to use it.
Like my lawn!
-
@Mason_Wheeler said in That is a nice password you have, would be a shame if you installed this theme:
@topspin It's an engineering tradeoff. If you put it in user space, then every text operation needs to cross the userspace/kernel boundary, possibly multiple times, to get rendered, leading to potentially huge performance hits.
What I don't get is why font rendering has to cross the kernel boundary in the first place.
-
@Gąska This.
Even if you want to use hardware acceleration (which probably goes through a kernel-side driver at some point) ... we're somehow managing to live with the handful of syscalls that results in when rendering way more complex stuff at way higher frame rates.
-
@cvi said in That is a nice password you have, would be a shame if you installed this theme:
Even if you want to use hardware acceleration (which probably goes through a kernel-side driver at some point)
2001 called, they want their OS architecture back.
-
@Gąska ... why 2001 out of all possible years that you could pick?
-
@cvi because I know significantly more about internals of Windows than of any other OS.
-
@cvi said in That is a nice password you have, would be a shame if you installed this theme:
@Gąska ... why 2001 out of all possible years that you could pick?
Because he secretly thinks we should have had a space odyssey by now?
-
@Gąska Correct me if I'm wrong, but I thought kernel mode (graphics) drivers both predate Windows XP and are around still (in Windows)?
-
@cvi said in That is a nice password you have, would be a shame if you installed this theme:
@Gąska Correct me if I'm wrong, but I thought kernel mode (graphics) drivers both predate Windows XP
Duh. It's the most primitive approach right after having device handled by the kernel core itself. I was referring to the last year it made sense.
and are around still?
Windows has user-mode graphics drivers since Vista. A quick google indicates OSX has user-mode drivers too, although I didn't read far enough to know if it includes graphics or not. Either way, user-mode drivers have been around longer than 300Mbps Wi-Fi, so making an OS in 2020 with kernel-mode graphics drivers is as much of a WTF as getting stuck in reboot loop because the wallpaper is bad.
-
@Gąska said in That is a nice password you have, would be a shame if you installed this theme:
Windows has user-mode graphics drivers since Vista.
I tried to briefly look it up, and all the WDDM documentation mentioned a kernel mode component in addition to the user mode stuff. I only briefly skimmed it, though. Which makes sense in my mind: you want to have as much as possible in user land, but to actually poke the hardware and so on, you need to go to kernel space.
-
@cvi I'm pretty sure not every HW operation needs to be kernel-mode. Memory mapping etc.
-
@Gąska Finally found the following:
Windows Display Driver Model (WDDM) Operation Flow - Windows drivers
Windows Display Driver Model (WDDM) Operation Flow
There is indeed a large user-mode driver as you say. But if I read the above correctly, actually submitting commands to the hardware incurs a transition to kernel mode ("Submitting the Command Buffer to Kernel Mode" and "Submitting the DMA Buffer to Hardware").
Commands are batched aggressively into command buffers in user-mode, but the actual submission of those results in the handful of syscalls that I mentioned originally.
(There's also a whole mess of protected surfaces and so on in the various APIs, which sound a lot like kernel-orchestrated resources. Having them freely pokeable from userland would defeat much of their DRMy purposefulness.)
-
@cvi fair enough. I thought it allows direct interfacing with device in user mode, but it yet again turns out to be only 0.00000000000000000000000000001% as useful as Microsoft promised.
Also, I've yet again didn't bother to check the context of the discussion and got a very wrong idea from it. I thought it's about the recent iPhone's reboot loop problem caused by an uncaught exception in some GUI routine.
-
@Gąska Well, regardless of context, we seem to agree on that doing general-purpose font rendering in kernel mode is dumb and unnecessary. Which is good enough for me.
-
@Gąska said in That is a nice password you have, would be a shame if you installed this theme:
@Mason_Wheeler said in That is a nice password you have, would be a shame if you installed this theme:
@topspin It's an engineering tradeoff. If you put it in user space, then every text operation needs to cross the userspace/kernel boundary, possibly multiple times, to get rendered, leading to potentially huge performance hits.
What I don't get is why font rendering has to cross the kernel boundary in the first place.
Sub-pixel font rendering. Apparently whoever built that part of Windows couldn't figure how to pass the necessary information back to userland.
-
@acrow Actually, let me correct myself:
Microsoft wanted to get sub-pixel font rendering, but was painfully aware that they were about to enter the cellphone market, where the screen may get turned any which way. Leaving the sub-pixel stuff into userland risked idiots hard-coding the color order as horizontal RGB. This would have produced catastrophic results on font quality on a turned cellphone screen. So their answer was to provide sub-pixel rendering as part of the kernel, where they could guarantee that the display orientation would always be handled correctly.So there is an actual reason for it. Any performance gains from it was likely a welcome bonus.
And now I'm left wondering: If I had 2 screens, with one turned 90 degrees, and then move a window so that a text field spans them both, would it still sub-pixel-render it correctly on both? I'd try myself, but my screens at work are kind of hard to turn, so
.
-
@acrow said in That is a nice password you have, would be a shame if you installed this theme:
So their answer was to provide sub-pixel rendering as part of the kernel, where they could guarantee that the display orientation would always be handled correctly.
Obviously the solution to that is to have sub-pixel rendering provided by OS, as nobody in their right mind would want to ship their own font rendering engine, without sticking it in the kernel.
