Bugtraq mailing list archives
Re: White paper: Exploiting the Win32 API.
From: Andrey Kolishak <andr () sandy ru>
Date: Wed, 7 Aug 2002 09:57:13 +0200
I believe nothing new it that issue. WM_TIMER tricks were described by Matt Pietrek in 1997, in Microsoft's MSJ http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm (sample included) So it was noted already at least 5 years before Jim Allchin. There is also well known trick with SetWindowsHookEx function (exploit sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip by buLLet) and so forth. There is also article of Symeon Xenitellis "A New Avenue of Attack: Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/ So it's strange that issue looks new for somebody, especially experts. Best regards, Andrey mailto:andr () sandy ru CP> I have written a white paper documenting what I believe is the first CP> public example of a new class of attacks against the Win32 API. This CP> particular attack exploits major design flaws in the Win32 API in CP> order for a local user to escalate their privileges, either from the CP> console of a system or on a Terminal Services link. The paper is CP> available at http://security.tombom.co.uk/shatter.html CP> In order to pre-empt some of the inevitable storm about responsible CP> disclosure, let me point out the following. CP> 1) The Win32 API has been in existence since the days of Windows CP> NT3.1, back in July 1993. These vulnerabilities have been present CP> since then. CP> 2) Microsoft have known about these vulnerabilities for some time. CP> This research was sparked by comments by Jim Allchin talking under CP> oath at the Microsoft / DoJ trial some 3 months ago. CP> http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the CP> Win32 API, I would be highly surprised if they have not known about CP> these attacks for considerably longer. CP> 3) Microsoft cannot fix these vulnerabilities. These are inherent CP> flaws in the design and operation of the Win32 API. This is not a bug CP> that can be fixed with a patch. CP> 4) The white paper documents one example of these class of flaws. CP> They have been discussed before on Bugtraq, however to my knowledge CP> there have been no public working exploits. I have just documented CP> one way to get this thing working. CP> 5) This is not a bug. This is a new class of vulnerabilities, like a CP> buffer overflow attack or a format string attack. As such, there is CP> no specific vendor to inform, since it affects every software maker CP> who writes products for the Windows platform. A co-ordinated release CP> with every software vendor on the planet is impossible. CP> Chris
Current thread:
- White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chad Loder (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- Re: White paper: Exploiting the Win32 API. Andrey Kolishak (Aug 10)
- Re: White paper: Exploiting the Win32 API. Paul Starzetz (Aug 27)
- <Possible follow-ups>
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- RE: White paper: Exploiting the Win32 API. Marc Maiffret (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Roland Kaufmann (Aug 07)
- Re: White paper: Exploiting the Win32 API. Adam Megacz (Aug 07)
- Re: White paper: Exploiting the Win32 API. Chris Calabrese (Aug 07)
- Re: White paper: Exploiting the Win32 API. slack3r (Aug 07)
(Thread continues...)