14 DAY TRIAL // Microsoft's latest operating system, touted high and low by the company as its most secure Windows platform, can be taken down by nothing more than a spelling error. A potential attacker could completely own your copy of Vista simply because you got your keys mixed up... And Windows Vista is not the only operating system susceptible to these types of attacks, UNIX and Linux platforms are equally vulnerable. The exploit described by Ron Bowes, Symantec Security Response Researcher, involves bypassing the User Account Control in Windows Vista and the account limitations Unix-based operating systems. An attacker could take advantage of the concept of user-separation and use both the UAC in Vista and the Sudo (super user do) in UNIX to run malicious code with administrative privileges.
"Sudo is similar to UAC in that it allows users to easily run programs with elevated privileges. If a user runs a malicious program with a regular account, the program cannot install in a system-wide directory. On a typical UNIX-based operating system, user-level programs can write to the user's home folder, the temporary files directory, and a couple other safe places. A malicious program run this way cannot affect other users or the system as a whole. However, if sudo is used to run this malicious program, the program can make system-wide changes because it has root access. If a user can be tricked into running a malicious program, the system can easily become fully compromised," Bowes explained.
UAC in Vista functions in much the same manner as the Sudo. While it manages to restrict all accounts, tasks and applications to standard user privileges only, the UAC also enables streamlined elevation of privileges. The attack's scenario is simple. An attacker could serve the victims a Trojan horse which will write itself to the UAC controlled area of the operating system and not generate an elevation of privileges prompt. Instead, it could create a malformed process similar to a legitimate application/task but with a different spelling and wait for a user error.
"The simplest way to get around sudo's protection is to take advantage of a common mistake: spelling errors. Even though "sudo mount" will never check the current directory, "sudo moutn" will, and I can't even count the number of times I've typed that. A piece of malware can name itself "moutn" and hide in the user's home directory, hoping to take advantage of a spelling mistake before being discovered. The number of possible names is endless, but some others that I commonly use are "ifcofnig," "tcpdmup," and, for Windows users, "ipconfig" or "tracert,"" Bowes added.