
Hot Potato – Windows Privilege Escalation - mmastrac
http://foxglovesecurity.com/2016/01/16/hot-potato/
======
antmldr
My jaw kind of hit the floor after reading Google Security Research's issue
222; very glad someone has built a simplified PoC. With any luck this will get
some kind of response out of MS.

------
userbinator
Is the summary basically "turn off WPAD and this won't work?" Because that's
not hard to do:

[http://stackoverflow.com/questions/15029615/how-to-turn-
off-...](http://stackoverflow.com/questions/15029615/how-to-turn-off-disable-
web-proxy-auto-discovery-wpad-in-windows-server-2008/25366609)

------
jevinskie
Running a server on port 80 (< 1024) doesn't require any elevated privileges
on Windows?

~~~
userbinator
This exploit doesn't depend on that; 80 might as well be 8000 or 8080(common
proxy port) or anything else. Observe that the proxy port can be specified:

    
    
        return "PROXY 127.0.0.1:80";}

~~~
CyberShadow
Don't you still need to run the WPAD "server" on port 80?

~~~
breen-machine
Yup. That's why it needs to run on port 80.

I don't think Windows Firewall lets you listen on *:80, but localhost:80 is
just fine.

------
echochar
Many times I see commenters on HN making statements to the effect of "users
cannot run their own servers" and spurring a "debate" in the context of
someone trying to innovate away from the current asymmetric, client-server,
"calf-cow" internet.

I saw one such commment earlier today.

Thought experiment:

What about exploits like this one, among so many others over the years, in
Microsft Windows?

In many cases it sure looks like the user is "running a server".

There is a port open and listening, waiting for connections. And some remote
client can connect and issue commands.

~~~
digi_owl
> Many times I see commenters on HN making statements to the effect of "users
> cannot run their own servers" and spurring a "debate" in the context of
> someone trying to innovate away from the current asymmetric, client-server,
> "calf-cow" internet.

What that is about is that most consumer level internet connections do not
have a fix IP address. Thus you can't (easily) aim a DNS reference at it etc.

~~~
echochar
Understood. However try to reconcile this with the thought experiment I gave
above. You would be saying that these Windows exploits would not work because
users have IP addresses that are changing too frequently. Is it possible that
_in practice_ many "dynamic" IP addresses are actually quite static (i.e.,
remaining the same for months or longer)? In _theory_ they could change by the
day or week.

~~~
digi_owl
Well most attacks just use such a "server" for the initial attack, afterwards
they set up something that make outbound connections to a "command center" or
similar.

~~~
echochar
Yes. But the server capability is always there. It can be launched again any
time the attacker needs it.

~~~
digi_owl
In technical terms any computer can be a server. Just look at the BBSs that
was run out of C64s and similar back in the day.

But a server that can't be reliably reached is a useless server.

And the BBSs worked back in the day because dialing the same number days,
weeks, even months inbetween would lead you to the same BBS if the computer
was still running.

A domestic internet connection is simply not reliable enough for that. Yes, if
nothing happens electrically at either the customer or ISP end the IP will
remain for some time. But have a power failure and it is likely that the IP
will be reassigned. And that random aspect, that sometimes you can retain the
address for months, and other times get it changed within hours, do not help.

~~~
echochar
I agree firewalls and NAT are a nuisance, and today's internet is not one iota
as cool as the BBS days. The nuisances introduced by "ISPs" have hindered but
in the long run have not stopped reliable peer to peer internet. I will not
name the commonly known examples lest it divert the conversation.

There are a variety of workarounds for dealing with firewalls and NAT, and
after years of using them "experimentally", I can attest that they work
reliably, at least for me. Some of them are well-known, some of them are
commonly used, others are not.

If IP addresses assigned to so-called "reliably reached" servers were as
static as you imply in practice, there would be little need for a mechanism
like DNS. (And I'm not saying there is, just pointing out that there are a lot
of folks who believe IP addresses must be able to change without notice.)

In my experience, domestic internet connections with "dynamic" IP addresses
are "reliable enough" to do some "useful" things besides simply partaking in
the "calf-cow" web.

