|
Bugtraq
mailing list archives
RE: Microsoft Windows CreateRemoteThread Exploit
From: "Michael Wojcik" <Michael.Wojcik () microfocus com>
Date: Fri, 2 Dec 2005 06:41:18 -0800
From: q7x () ashiyane com [mailto:q7x () ashiyane com]
Sent: Thursday, 01 December, 2005 05:02
Description:
when the one process open with OpenProcess function and
use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash.
an example hackers can use this method for kill firewalls
and antiviruses
If an attacker can successfully call OpenProcess() on a process with
arbitrary access, then they can just request PROCESS_TERMINATE access
and terminate the process with TerminateProcsss(). Other attacks are
obviously possible with other forms of access.
I don't see how this particular feature is a vulnerability unless an
attacker can somehow perform a successful OpenProcess() but only with
PROCESS_CREATE_THREAD access. And even then, why couldn't the attacker
just do:
CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit,
NULL, 0, NULL);
or indeed create a remote thread with any other useful function the
process has mapped?
This "exploit" boils down to "if I can make a process call address 0, I
can cause an exception in it". Well, sure. If you can make a process
execute arbitrary code, you can do all sorts of things.
An attacker who can successfully open a security-critical process has
already won.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
 By Date 
By Thread
Current thread:
|
Intro
