Windows fuzz - Following on.

["Brett Moore" <brett () softwarecreations co nz>]

To add some input to these interesting thoughts...

------------------------------------------------------------
possible sendmessage exploitations for privilege enhancement
------------------------------------------------------------

* Causing local buffer overflows

- A text box has a set size of 10, and the program which would probably have
to be to be using non-standard methods ( encryption progs etc ), grabs the
bytes calculated by the length of the textbox string, and stores in a fixed
10 byte buffer as it expects a max of 10.
- We set the size to be larger than 10, and hey presto?

brett

> -----Original Message-----
> From: Blue Boar [mailto:BlueBoar () thievco com]
> Sent: Sunday, 7 July 2002 15:05
> To: vuln-dev () securityfocus com
> Subject: [Fwd: Re: Windows fuzz]
>
>
> -------- Original Message --------
> Subject: Re: Windows fuzz
> Date: 06 Jul 2002 21:35:33 +0100
> From: Simos Xenitellis <simos74 () gmx net>
> To: Blue Boar <BlueBoar () thievco com>
> References: <3BDDF748.E13BAD83 () thievco com>
> <1004440837.4618.64.camel () pc96 ma rhul ac uk>
> <3BDED58F.C3FB7644 () thievco com>
>
> Dear BB,
>
> I eventually managed to publish the mentioned paper and wrote a
> demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/
> Feel free to pass the URL to the vuln-dev mailling list if you find it
> suitable.
>
> Best regards,
> Simos Xenitellis
>
>  > Great information.  You'll please post to the list when you can make it
>  > public?
>  >
>       BB
>  >
>  > Simos Xenitellis wrote:
>  > >
>  > > Hi,
>  > > I am writing an academic paper on such vulnerabilities in
> event-driven
>  > > systems and I am sending it tomorrow to a conference for review. :)
>  > >
>  > > In event-driven systems it is common to be able to send events
>  > > (=messages) from unprivileged users to priviliged users (guest ->
>  > > Administrator). In Windows 2000, an unpriviliged process (example:
>  > > trojan horse) can enumerate all windows and identify the
> important ones
>  > > for the title bar and so on. Then, it can send events to them with
>  > > PostMessage(). There is currently no protection as to who
> has sent the
>  > > message. One can use it to send custom events but the most
> interesting
>  > > aspect is the sending of legitimate messages to instruct the
> victim to
>  > > do things you want it.
>  > >
>  > > For example, check WM_TIMER. The second argument is the address of a
>  > > function to execute. Thus, you can execute whatever lies in
> the address
>  > > space of the victim.
>  > >
>  > > Once the paper gets accepted to the conference, I'll make it public.
>  > >
>  > > simos
>  > >
>  > > On 2001-10-30 at 00:41, Blue Boar wrote:
>  > > > I was looking at this page today:
>  > > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html
>  > > > After seeing it referenced in an NTBugtraq post.
>  > > >
>  > > > Naturally, I got to wondering if the problems described there could
>  > > > be taken advantage of for privilege elevation.  It would involve
>  > > > being able to send Windows messages to another app, probably on the
>  > > > same physical machine.  Anyone done anything along these lines,
>  > > > or can anyone point me at where I can read up on the security
>  > > > surrounding message passing?
>  > > >
>  > > >                               BB
>  > > >
>  >