|
Bugtraq
mailing list archives
Re: Microsoft Window Utility Manager Local Elevation of Privileges
From: Chris Paget <ivegotta () tombom co uk>
Date: Wed, 14 Jul 2004 12:58:05 +0100
On Tue, 13 Jul 2004 16:00:33 -0400, you wrote:
Microsoft Window Utility Manager Local Elevation of Privileges
<snip>
To exploit the vulnerability, an attacker would need only to run the
following code:
After this code has been executed, winhlp32.exe will ask the attacker to
locate the umandlg.hlp help file. The attacker can then select "Yes" and
an Open dialog will be shown. The attacker can then search and select
cmd.exe. The attacker will then have a shell running under Local System
privileges.
This isn't quite right - on my system at least, browsing for cmd.exe
in this way generates an error:
"The C:\WINNT\system32\cmd.exe file is not a Windows Help file, or the
file is corrupted."
That said, the file dialog can be made to display a ListView control
(display details rather than a list). This ListView control will
accept both WM_SETTEXT (to inject shellcode into the caption of the
window) followed by LVM_SORTITEMS (which specifies the address for a
sort function) to execute said code. It is a valid method for
arbitrary code execution as LocalSystem, but not quite as simply as
Vivek makes out.
Chris
--
Chris Paget
ivegotta () tombom co uk
 By Date 
By Thread
Current thread:
| 
Intro
