Bugtraq mailing list archives
RE: White paper: Exploiting the Win32 API.
From: "Marc Maiffret" <marc () eeye com>
Date: Wed, 7 Aug 2002 00:01:13 -0700
I am aware of a Microsoft application that has made such a mistake. http://www.atstake.com/research/advisories/2000/a090700-1.txt is an example of one. In fact you would be surprised at the number of services vulnerable to these types of attacks. From personal firewalls, to anti-virus and so on. priv. escalation through windows message attacks is nothing new. back when i was in rhino9, 4 or so years ago, we were performing similar attacks to do priv. escalation from IUSR to SYSTEM. out of box the way windows messaging works i think is flawed... yes there are things you can do to protect from most of these attacks. however windows should install out of box with these attacks in mind... secure by default and all that jazz ;-) there is a lot that can be done at the OS level to protect from programmers who do not know any better. I know Microsoft keeps saying they will be secure by default... however I doubt we will see that anytime soon. especially for lower level stuff like this. Besides... its next to impossible to keep a local user from getting SYSTEM. There are just to many ways to do it. From service exploitation, to windows api's, to core flaws within windows architecture. any OS where locally you can input a chunk of data to some graphic routines, as an unprivileged user, and then b00m be executing code within the kernel... you cant trust that OS for local privilege separation of users and such. makes you wonder if you can even trust it in remote scenarios. :-o Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities -----Original Message----- From: John Howie [mailto:JHowie () securitytoolkit com] Sent: Tuesday, August 06, 2002 10:44 AM To: Chris Paget; bugtraq () securityfocus com Subject: RE: White paper: Exploiting the Win32 API. Chris, This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake. John Howie -----Original Message----- From: Chris Paget [mailto:ivegotta () tombom co uk] Sent: Tuesday, August 06, 2002 9:14 AM To: bugtraq () securityfocus com Subject: White paper: Exploiting the Win32 API. I have written a white paper documenting what I believe is the first public example of a new class of attacks against the Win32 API. This particular attack exploits major design flaws in the Win32 API in order for a local user to escalate their privileges, either from the console of a system or on a Terminal Services link. The paper is available at http://security.tombom.co.uk/shatter.html In order to pre-empt some of the inevitable storm about responsible disclosure, let me point out the following. 1) The Win32 API has been in existence since the days of Windows NT3.1, back in July 1993. These vulnerabilities have been present since then. 2) Microsoft have known about these vulnerabilities for some time. This research was sparked by comments by Jim Allchin talking under oath at the Microsoft / DoJ trial some 3 months ago. http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the Win32 API, I would be highly surprised if they have not known about these attacks for considerably longer. 3) Microsoft cannot fix these vulnerabilities. These are inherent flaws in the design and operation of the Win32 API. This is not a bug that can be fixed with a patch. 4) The white paper documents one example of these class of flaws. They have been discussed before on Bugtraq, however to my knowledge there have been no public working exploits. I have just documented one way to get this thing working. 5) This is not a bug. This is a new class of vulnerabilities, like a buffer overflow attack or a format string attack. As such, there is no specific vendor to inform, since it affects every software maker who writes products for the Windows platform. A co-ordinated release with every software vendor on the planet is impossible. Chris -- Chris Paget ivegotta () tombom co uk
Current thread:
- White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chad Loder (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- Re: White paper: Exploiting the Win32 API. Andrey Kolishak (Aug 10)
- Re: White paper: Exploiting the Win32 API. Paul Starzetz (Aug 27)
- <Possible follow-ups>
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- RE: White paper: Exploiting the Win32 API. Marc Maiffret (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Roland Kaufmann (Aug 07)
- Re: White paper: Exploiting the Win32 API. Adam Megacz (Aug 07)
- Re: White paper: Exploiting the Win32 API. Chris Calabrese (Aug 07)
- Re: White paper: Exploiting the Win32 API. slack3r (Aug 07)
- RE: White paper: Exploiting the Win32 API. Kenn Humborg (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 07)
- Re: White paper: Exploiting the Win32 API. Simos Xenitellis (Aug 09)
- RE: White paper: Exploiting the Win32 API. Rothe, Greg (G.A.) (Aug 28)
- RE: White paper: Exploiting the Win32 API. Drew (Aug 28)
(Thread continues...)