OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrey Kolishak (andr_at_SANDY.RU)
Date: Thu Aug 08 2002 - 08:03:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    nothing new it that issue. WM_TIMER tricks were described by
    Matt Pietrek in 1997, in Microsoft's MSJ

    http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm
    (sample included)

    So it was noted already at least 5 years before Jim Allchin.
    There is also well known trick with SetWindowsHookEx function (exploit
    sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip
    by buLLet) and so forth.

    Moreover the issue was mentioned in article of Symeon Xenitellis "A New Avenue of Attack:
    Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/

     Andrey mailto:andrsandy.ru

    CP> I have written a white paper documenting what I believe is the first
    CP> public example of a new class of attacks against the Win32 API. This
    CP> particular attack exploits major design flaws in the Win32 API in
    CP> order for a local user to escalate their privileges, either from the
    CP> console of a system or on a Terminal Services link. The paper is
    CP> available at http://security.tombom.co.uk/shatter.html

    CP> In order to pre-empt some of the inevitable storm about responsible
    CP> disclosure, let me point out the following.

    CP> 1) The Win32 API has been in existence since the days of Windows
    CP> NT3.1, back in July 1993. These vulnerabilities have been present
    CP> since then.

    CP> 2) Microsoft have known about these vulnerabilities for some time.
    CP> This research was sparked by comments by Jim Allchin talking under
    CP> oath at the Microsoft / DoJ trial some 3 months ago.
    CP> http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the
    CP> Win32 API, I would be highly surprised if they have not known about
    CP> these attacks for considerably longer.

    CP> 3) Microsoft cannot fix these vulnerabilities. These are inherent
    CP> flaws in the design and operation of the Win32 API. This is not a bug
    CP> that can be fixed with a patch.

    CP> 4) The white paper documents one example of these class of flaws.
    CP> They have been discussed before on Bugtraq, however to my knowledge
    CP> there have been no public working exploits. I have just documented
    CP> one way to get this thing working.

    CP> 5) This is not a bug. This is a new class of vulnerabilities, like a
    CP> buffer overflow attack or a format string attack. As such, there is
    CP> no specific vendor to inform, since it affects every software maker
    CP> who writes products for the Windows platform. A co-ordinated release
    CP> with every software vendor on the planet is impossible.

    CP> Chris