Sergey Shishkin

on agile software development

Hacking CardSpace

[UPDATED: As Richard Turner explained me, the behavior described below is required due to avoid another critical and really exploitable vulnerability. However, a malicious software running on the user’s machine is able to potentially use this behavior for a spoofing attack. The world itself is not ideal anyway… šŸ™‚ ]

I recently watched an interesting video on channel 9 about Windows CardSpace, its encrypted card store and the private desktop technology that CardSpace uses to protects user’s sensitive data. Couple of hours later I accidentally broke CardSpace protection and accessed my user’s desktop in parallel with running CardSpace UI Agent (Oops :-0 )

The exploited vulnerability was an Open File Dialog which is used e.g. for choosing a picture for a card or a file for backup. When the Open File Dialog opens you can clearly see for a very short moment your desktop, but after it opens you are free to open the start menu using Win button and do whatever you want! See the screenshot:

If you know what does it mean – you know what to do. This vulnerability was found on WinXP SP2 with .NET Framework 3.0 RC1 Runtime and was reproduced on Vista RC1. I am not sure if it is already fixed in the September CTP, but hope that the coming RTM will not have such behavior. We’ll see šŸ˜‰


Written by Sergey Shishkin

19.10.2006 at 14:34

Posted in Uncategorized

%d bloggers like this: