Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Microsoft Windows CreateRemoteThread Exploit
From: "Michael Wojcik" <Michael.Wojcik () microfocus com>
Date: Fri, 2 Dec 2005 06:41:18 -0800

From: q7x () ashiyane com [mailto:q7x () ashiyane com] 
Sent: Thursday, 01 December, 2005 05:02

   when the one process open with  OpenProcess function and 
use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash.
   an example hackers can use this method for kill firewalls 
and antiviruses

If an attacker can successfully call OpenProcess() on a process with
arbitrary access, then they can just request PROCESS_TERMINATE access
and terminate the process with TerminateProcsss().  Other attacks are
obviously possible with other forms of access.

I don't see how this particular feature is a vulnerability unless an
attacker can somehow perform a successful OpenProcess() but only with
PROCESS_CREATE_THREAD access.  And even then, why couldn't the attacker
just do:

CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit,

or indeed create a remote thread with any other useful function the
process has mapped?

This "exploit" boils down to "if I can make a process call address 0, I
can cause an exception in it".  Well, sure.  If you can make a process
execute arbitrary code, you can do all sorts of things.

An attacker who can successfully open a security-critical process has
already won.

Michael Wojcik
Principal Software Systems Developer, Micro Focus

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]