Vulnerability Development mailing list archives
Windows fuzz - Following on.
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Wed, 10 Jul 2002 11:14:56 +1200
To add some input to these interesting thoughts... ------------------------------------------------------------ possible sendmessage exploitations for privilege enhancement ------------------------------------------------------------ * Causing local buffer overflows - A text box has a set size of 10, and the program which would probably have to be to be using non-standard methods ( encryption progs etc ), grabs the bytes calculated by the length of the textbox string, and stores in a fixed 10 byte buffer as it expects a max of 10. - We set the size to be larger than 10, and hey presto? brett
-----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: Sunday, 7 July 2002 15:05 To: vuln-dev () securityfocus com Subject: [Fwd: Re: Windows fuzz] -------- Original Message -------- Subject: Re: Windows fuzz Date: 06 Jul 2002 21:35:33 +0100 From: Simos Xenitellis <simos74 () gmx net> To: Blue Boar <BlueBoar () thievco com> References: <3BDDF748.E13BAD83 () thievco com> <1004440837.4618.64.camel () pc96 ma rhul ac uk> <3BDED58F.C3FB7644 () thievco com> Dear BB, I eventually managed to publish the mentioned paper and wrote a demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/ Feel free to pass the URL to the vuln-dev mailling list if you find it suitable. Best regards, Simos Xenitellis > Great information. You'll please post to the list when you can make it > public? > BB > > Simos Xenitellis wrote: > > > > Hi, > > I am writing an academic paper on such vulnerabilities in event-driven > > systems and I am sending it tomorrow to a conference for review. :) > > > > In event-driven systems it is common to be able to send events > > (=messages) from unprivileged users to priviliged users (guest -> > > Administrator). In Windows 2000, an unpriviliged process (example: > > trojan horse) can enumerate all windows and identify the important ones > > for the title bar and so on. Then, it can send events to them with > > PostMessage(). There is currently no protection as to who has sent the > > message. One can use it to send custom events but the most interesting > > aspect is the sending of legitimate messages to instruct the victim to > > do things you want it. > > > > For example, check WM_TIMER. The second argument is the address of a > > function to execute. Thus, you can execute whatever lies in the address > > space of the victim. > > > > Once the paper gets accepted to the conference, I'll make it public. > > > > simos > > > > On 2001-10-30 at 00:41, Blue Boar wrote: > > > I was looking at this page today: > > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html > > > After seeing it referenced in an NTBugtraq post. > > > > > > Naturally, I got to wondering if the problems described there could > > > be taken advantage of for privilege elevation. It would involve > > > being able to send Windows messages to another app, probably on the > > > same physical machine. Anyone done anything along these lines, > > > or can anyone point me at where I can read up on the security > > > surrounding message passing? > > > > > > BB > > > >
Current thread:
- [Fwd: Re: Windows fuzz] Blue Boar (Jul 06)
- Windows fuzz - Following on. Brett Moore (Jul 09)
- Re: [Fwd: Re: Windows fuzz] Andreas Hasenack (Jul 12)