Batch - Taskkill.exe (Bug or not)
I prefer to work with the vendor but haven't really received a response from MS, positive or negative. It's not a security vuln. and I find it pretty much okay to disclose this right now. I have pasted the email chain below. Please let me know if any extra information might be required. Thanks. -------------------------------------------------- From: "51l3n73y3s" <xxxxx[concealed]@live.in> Sent: Monday, September 14, 2009 6:24 PM To: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> Subject: Re: Taskkill.exe Bug > Hi Nate, > > I haven't received a response from the product team so far. > > Just want to make sure that it's fine with MS for me to make this > information public. Thanks. > > Regards, Sandeep > > -------------------------------------------------- > From: "51l3n73y3s" <xxxxx[concealed]@live.in> > Sent: Saturday, August 29, 2009 7:38 AM > To: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> > Subject: Re: Taskkill.exe Bug > >> Thank you Nate, Much appreciated. >> >> Regards, Sandeep >> -------------------------------------------------- >> From: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> >> Sent: Saturday, August 29, 2009 4:40 AM >> To: "'51l3n73y3s'" <xxxxx[concealed]@live.in> >> Cc: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> >> Subject: RE: Taskkill.exe Bug >> >>> Hi Sandeep, >>> >>> Thank you for the additional information. In re-reviewing this we still >>> do not see that this is a security vulnerability. It appears that there >>> may be a bug in msiexec that is triggered when adding specific commands >>> when installing/ un-installing a program. >>> >>> I am going to pass this directly to the product team for consideration as >>> a non-security bug. They may contact you directly if they need more >>> information. >>> >>> Best Regards, >>> Nate >>> >>> -----Original Message----- >>> From: 51l3n73y3s [mailto:xxxxx[concealed]@live.in] >>> Sent: Friday, August 28, 2009 2:58 PM >>> To: Microsoft Security Response Center >>> Cc: Microsoft Security Response Center >>> Subject: Re: Taskkill.exe Bug >>> >>> Hi Nate, >>> >>> Thanks for the response. >>> >>> Symantec is for the demonstration purpose as this is how I hit it. >>> >>> As I said before "This bug is only used for the demonstration purpose and >>> irrelevant to the core of the report." >>> >>> It's not dependant on Symantec (or Sygate) and is used for the POC >>> purpose only, It would behave the same for any process of the same >>> nature. Please let me know if additional information is required. >>> >>> Regards, Sandeep >>> -------------------------------------------------- >>> From: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> >>> Sent: Saturday, August 29, 2009 2:19 AM >>> To: "'51l3n73y3s'" <xxxxx[concealed]@live.in> >>> Cc: "Microsoft Security Response Center" <xxxxx[concealed]@microsoft.com> >>> Subject: RE: Taskkill.exe Bug >>> >>>> Hello Sandeep, >>>> >>>> Thank you for your message. This does not appear to be a security >>>> vulnerability. From your report it appears that the uninstall routine >>>> is not completely uninstalling the Symantec Protection Agent. Issues >>>> that result from third party software not working properly are not >>>> something that we will open a case on. >>>> >>>> I would however encourage you to send this information directly to >>>> Symantec. If the installed component were Microsoft software then we >>>> would look into this as a bug. >>>> >>>> Best Regards, >>>> Nate >>>> >>>> -----Original Message----- >>>> From: 51l3n73y3s [mailto:xxxxx[concealed]@live.in] >>>> Sent: Friday, August 28, 2009 7:02 AM >>>> To: Microsoft Security Response Center >>>> Subject: Taskkill.exe Bug >>>> >>>> Hello MS Secure Team, >>>> >>>> >>>> >>>> Please find the bug discovered with "taskkill.exe" as follows: >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> Issue: Abnormal behavior with taskkill.exe >>>> >>>> >>>> >>>> Type: Special query Formation for taskkill.exe >>>> >>>> >>>> >>>> POC available (Yes\No): Yes >>>> >>>> >>>> >>>> Product(s) affected: "C:\Windows\System32\taskkill.exe" >>>> >>>> >>>> >>>> Versions affected: Tested on 5.1.2600.0 >>>> >>>> >>>> >>>> OS Name: Microsoft Windows XP Professional, Version 2002, Service Pack >>>> 2 >>>> >>>> >>>> >>>> Vendor Name: Microsoft Corporation >>>> >>>> >>>> >>>> Vendor Supported (Yes\No): Yes >>>> >>>> >>>> >>>> POC: Based on well known exploit for Sygate, probably Symantec has >>>> also >>>> inherited the bug with SEP >>>> (https://www-secure.symantec.com/connect/forums/endpoint-removal-witho >>>> ut-any-password ). This bug is only used for the demonstration >>>> purpose and irrelevant to the core of the report. >>>> >>>> >>>> >>>> 1) Install Symantec Protection Agent (5.x, 4.x) as a managed >>>> client. >>>> >>>> >>>> >>>> 2) Edit the policy to include the password to uninstall the client. >>>> >>>> >>>> >>>> 3) Ensure that the policy is updated.(It should ask for password >>>> during the uninstall routine) >>>> >>>> >>>> >>>> 4) Uninstall the client interactively and locally. >>>> >>>> >>>> >>>> 5) There should be two instances of Msiexec.exe, one under the LSA >>>> and the other under the currently logged on user account. The user >>>> account process is the child process for the LSA account msiexec.exe >>>> >>>> >>>> >>>> 6) Kill the msiexec.exe which is running under the user account >>>> using >>>> the taskmgr.exe. The uninstall routine will continue. >>>> >>>> >>>> >>>> 7) Kill the password window misexec.exe with the following >>>> switches, >>>> for verification. >>>> >>>> >>>> >>>> >>>> >>>> a) TASKKILL /F /FI "username eq User_Name" /IM msiexec.exe >>>> >>>> *Where User_Name is the currently logged on user. >>>> >>>> >>>> >>>> b) TASKKILL /PID "%P_ID%" /F >>>> >>>> *Where P_ID is the "Process Identifier" for the password process. >>>> >>>> >>>> >>>> c) TASKKILL /F /FI "windowtitle eq Uninstall Password" >>>> >>>> *Where "Uninstall Password" is the title of the window which prompts >>>> the user for the password. >>>> >>>> >>>> >>>> 8) In 7. c) Above the process for msiexec.exe (for password) will >>>> be >>>> killed but the uninstall will not continue, with the LSA account >>>> msiexec.exe consuming 00 CPU and no fluctuation in memory. >>>> >>>> >>>> >>>> >>>> >>>> Behavior: Unexpected results with the switch choice for taskkill.exe >>>> as stated in POC 8) above. >>>> >>>> >>>> >>>> Expected behavior: The behavior should be irrespective of the switches >>>> being used for terminating a process and should be dependant only on >>>> the process termination result. >>>> >>>> >>>> >>>> Cause: Unknown >>>> >>>> >>>> >>>> ________________________________ >>>> >>>> >>>> >>>> Thanking you. >>>> >>>> >>>> >>>> Regards, Sandeep >>>> >>>> >>> >>>
September 15th, 2009 10:56pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics