January 31, 2004

WSH: The demon of the dark

Recently Peter posted a good comment about how the Windows Script Host (WSH) is not actually riddled with vulnerabilities, even though its one of the FBI's Top 10 Windows Vulnerabilities.

He has a good point there. However, I do understand why its a nasty beast that is on the list. Combined with things like alternate data streams (ADS)... you can wreak HAVOK on a system that has scripting turned on (which it is by default on most Windows installations), and in many cases HIDE malicious code from even being detected.

If you are new to ADS, consider reading my previous post on The Dark Side of NTFS (Microsoft’s Scarlet Letter). The very fact that you can hide malicious code in a stream which most anti-virus and IDS/IPS tools will miss astounds me even to this day. Once more virogens figure this out... we will have a new attack vector to fight with.

Peter also brought up a great point though on how to stop scripts that are not signed. And that is to use Software Restriction Policies (SRP). One cavet is you must be running WSH 5.6 I believe, which means you will need to be running atleast Windows XP. (I may be wrong here). If you want to look at this method, consider reading this article on WSH on how to deal with this.

If you don't want to use SRP, there are some registry keys you can set. Under either HKLM or HKCU, take a look at the \Software\Microsoft\Windows Script Host key. Four values are relevant here: Enabled, TrustPolicy, UseWINSAFER, and IgnoreUserSettings. Here are their effects:

  • If Enabled is set to zero, then WSH will not run at all.
  • If TrustPolicy is set to zero, then all scripts will run. If it is set to one, then all signed, trusted scripts will run; unsigned scripts will prompt the user. If TrustPolicy is set to two, then only signed, trusted scripts will run and there will be no user prompt.
  • If UseWINSAFER is set, then there is first an attempt to use SRP if it is installed. If it is not, then this flag is ignored and the TrustPolicy flag is followed.
  • By default, both the HKLM and HKCU settings are checked and the user settings are followed rather than the machine settings. If you want the machine settings to be the default, set IgnoreUserSettings in the HKLM path to one.

It is sad that most of this is hidden away and unknown to most users. More sad that these "new features" are not turned off by default, reducing the attack surface of the platform. (Although as I have said before, Windows Server 2003 made a stronger effort in reducing the surface significantly) As Microsoft continues to work on this, hopefully the future will reduce the potential threats that can occur from such software, and move tools such as WSH off the FBI's top 10 list.

Thanks for pointing out SRP Peter.

Posted by SilverStr at January 31, 2004 11:24 PM | TrackBack
Comments

Great article Dana!

eTrust Anti-virus from Computer Associates will virus check alternate streams, although the feature is off by default (?!?).

Posted by: Peter Torr at February 1, 2004 01:31 PM

Thanks for posting this -- I'll probably expand upon this in a future blog entry.

If I recall correctly, SRP is available on Windows 2000 as well.

Posted by: Eric Lippert at February 2, 2004 03:45 PM

Thanks for posting this -- I'll probably expand upon this in a future blog entry.

If I recall correctly, SRP is available on Windows 2000 as well.

Posted by: Eric Lippert at February 2, 2004 03:45 PM

Beavis was here! :D

Posted by: Cmdr. Beavis at February 4, 2004 11:49 AM