mailing list archives
Re: White paper: Exploiting the Win32 API.
From: Roland Kaufmann <roland () ii uib no>
Date: 7 Aug 2002 13:49:23 -0000
In-Reply-To: <katvkuk81lk8srfaf2knq46of6k6jses1k () 4ax com>
3) Microsoft cannot fix these vulnerabilities. These are inherent
flaws in the design and operation of the Win32 API. This is not a
bug that can be fixed with a patch.
I would like to rebut this statement. The vulternability seems to
depend on the usage of the WM_TIMER message to execute arbitrary
data that has been put in the target process' address space.
The following four patches would seem to remove this capability:
(a) The memory page where the edit box store the message should not
be marked as executable but only as read/write. Even if the application
copies this memory, it should still be to a page marked as not
(b) WM_TIMER messages are posted to the message queue and can be
filtered by the application, as stated in the documentation for
this message. The application can have a list over timers and check
this for validity. (Moral of the story: Don't trust window message
parameters any more than user input).
(c) lParam may only be a value that has previously been registered
by SetTimer. GetMessage/PeekMessage or SendMessage/PostMessage can
be modified to verify this. (There has to be a list of timers for
the application somewhere)
(d) SendMessage/PostMessage could be modified to not dispatch or
GetMessage/PeekMessage could be modified to drop WM_TIMER messages
(or any messages that takes addresses, like EM_GETLINE) to windows
belonging to processes other than itself.