Home page logo

bugtraq logo Bugtraq mailing list archives

Re: White paper: Exploiting the Win32 API.
From: Andrey Kolishak <andr () sandy ru>
Date: Wed, 7 Aug 2002 09:57:13 +0200

I believe nothing new it that issue. WM_TIMER tricks were described by
Matt Pietrek in 1997, in Microsoft's MSJ

(sample included)

So it was noted already at least 5 years before Jim Allchin.
There is also well known trick with SetWindowsHookEx function (exploit
sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip
by buLLet) and so forth.

There is also article of Symeon Xenitellis "A New Avenue of Attack:
Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/

So it's strange that issue looks new for somebody, especially

Best regards,
 Andrey                            mailto:andr () sandy ru

CP> I have written a white paper documenting what I believe is the first
CP> public example of a new class of attacks against the Win32 API.  This
CP> particular attack exploits major design flaws in the Win32 API in
CP> order for a local user to escalate their privileges, either from the
CP> console of a system or on a Terminal Services link.  The paper is
CP> available at http://security.tombom.co.uk/shatter.html

CP> In order to pre-empt some of the inevitable storm about responsible
CP> disclosure, let me point out the following.

CP> 1)  The Win32 API has been in existence since the days of Windows
CP> NT3.1, back in July 1993.  These vulnerabilities have been present
CP> since then.

CP> 2)  Microsoft have known about these vulnerabilities for some time.
CP> This research was sparked by comments by Jim Allchin talking under
CP> oath at the Microsoft / DoJ trial some 3 months ago.
CP> http://www.eweek.com/article2/0,3959,5264,00.asp  Given the age of the
CP> Win32 API, I would be highly surprised if they have not known about
CP> these attacks for considerably longer.

CP> 3)  Microsoft cannot fix these vulnerabilities.  These are inherent
CP> flaws in the design and operation of the Win32 API.  This is not a bug
CP> that can be fixed with a patch.

CP> 4)  The white paper documents one example of these class of flaws.
CP> They have been discussed before on Bugtraq, however to my knowledge
CP> there have been no public working exploits.  I have just documented
CP> one way to get this thing working.

CP> 5)  This is not a bug.  This is a new class of vulnerabilities, like a
CP> buffer overflow attack or a format string attack.  As such, there is
CP> no specific vendor to inform, since it affects every software maker
CP> who writes products for the Windows platform.  A co-ordinated release
CP> with every software vendor on the planet is impossible.

CP> Chris

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]