If users can shut down the machine, it’s not a security hole if they can shut down the machine


One great way to come up with a dubious security vulnerability is to take something completely innocuous and wrap it inside layer upon layer of obfuscation, and then you proclaim that the obfuscation is the vulnerability. Here's an example based on an actual dubious vulnerability report:

Title: Native NT application can shut down computer

Description: I have written this native NT application which bypasses the Win32 layer and talks directly to the low-level native NT functions. By calling various native NT functions, I can cause a dialog box to appear which includes a Shut Down button that shuts down the computer if the user clicks on it.

Well, sure, you can go through all that to shut down the computer. Or you can save yourself all the hassle and just call ExitWindowsEx. You see, that dialog box you found includes a "Shut Down" button only if the user that ran it has permission to shut down the computer in the first place.

It is not a security vulnerability that users with permission to shut down the computer can shut down the computer.

This is another example of people getting excited that they were able to do something unusual. But just because you can do something unusual doesn't mean that you've found a security vulnerability.

Comments (17)
  1. Reena Agrawal says:

    What a security issue.. ROFL.. :D

  2. mvadu says:

    Back in India, our machines were in a secured area. With lot of concerns about data security. All users were non admin users, all USB ports were disabled, BIOS is password locked, and actual PC case is sealed with a steal cable. When some hardware fails our vender team used to cut the cable (not unlocking it).

    In one of the security audits went like this..

    Q. What if the user breaches BIOS?

    A. BIOS is password protected

    Q. What if they open the case and reset BIOS?

    A. Case is protected by a steal cable, and you need a big cutter to cut it

    Q. The auditor asked the PC Maintenance team member (admin) to login as a sys admin

    And Plugs a USB drive.. Wow.. it works.. See.. your security is broken.. Any one can use USB drive..

    1. Admin member: No.. But all users are non admin members.. Mass data mode of USB is denied for them…
  3. SuperKoko says:

    @mvadu:

    In my university, computers are strangely secured… We (students) have the needed rights to reboot the computer. There’s a BIOS password but anybody can type F12 at boot time to display a boot menu and boot on CD-ROM, USB stick or floppy disk.

    On the other hand, we’ve (poorly administred) non-admin accounts with a few ridiculous group policy settings (e.g. we cannot change the start menu style through Windows Explorer interface). I’m not sure why anybody would set up such as group policy.

  4. SM says:

    I always love to read these "other side of the airtight hatch" security articles.  

    Raymond Chen. Keeping us safe from false vulnerabilities, one-at-a-time! No amateur fly-by-night wannabe security guru is safe!

  5. Yuhong Bao says:

    It is not a security hole to allow shutting down the machine if they can just unplug the power.

  6. DriverDude says:

    "In one of the security audits went like this..

    Q. What if the user breaches BIOS?

    A. BIOS is password protected"

    What about backdoor BIOS passwords?

    Some older BIOS had well-known backdoors.

  7. hito says:

    Person who could write native NT program and knew how to call undocumented APIs actually thought this as vulnerabilities?

  8. Poochner says:

    @hito:  Sometimes smart and stupid are just opposite sides of the same coin.

  9. mvadu says:

    "Some older BIOS had well-known backdoors."

    I now.. but the actual conversation was like "What if the user opens the case to remove the BIOS battery to reset the BIOS?" so the answer was to pointing to the steel cable.

    Btw the machines in question were HP Pentium D machines with “Ready for Vista” labels.And in XP, I am not sure if a regular user will be able to run a exe which will screw up BIOS data and force it to load defaults when it is rebooted.

  10. George says:

    Ya know… I’ve always kinda thought that the whole "Ex" suffix a little unextensible.  Especially if you consider what happens when you alter the camel-casing a little bit and you get methods like ExitWindowSex which the 12-year-old boy in me just can’t help giggling about.

  11. anonymous says:

    OK, what about that: When loading SMSS as a native application and then killing the process, the system will do a shutdown without even bothering to kill any process and BSOD before completion.

  12. f0dder says:

    Especially if you consider what happens when

    you alter the camel-casing a little bit and you

    get methods like ExitWindowSex which the

    12-year-old boy in me just can’t help giggling

    about.

    I’ve seen a few posts on programming related message boards where people couldn’t for the life of them understand why their programs failed to compile/assemble… because of this very case bug.

  13. DriverDude says:

    "This is another example of people getting excited that they were able to do something unusual."

    I’m sure the Security team receives a lot of bogus reports like this. And I’m sure that e-mail alias receives a lot of spam too.

    I wonder how that affects the team’s ability to respond to *real* security issues….

  14. Md says:

    @SuperKoko: In mine in theory it can’t be done. BIOS are password protected and so on. But asking the BIOS to update itself and sending it to a wrong floppy and then not providing anyone presents you a "Where do you want to boot from?" window.

  15. nksingh says:

    @anonymous:

    Do non-admin users have access to the smss process in order to kill it?

  16. quux says:

    I once had to look up RegisterClassEx at school but the admins forbid urls with "sex" in them!

    Btw, if I type "shutdown -f -s" in cmd, Windows will shut down after 30 secs, I must be affected by this vulnerability too! ;)))

Comments are closed.

Skip to main content