RE: White paper: Exploiting the Win32 API.

From: John Howie (JHowieat_private)
Date: Tue Aug 06 2002 - 10:44:17 PDT

Next message: Mike Benham: "IE SSL Vulnerability"

Previous message: securityat_private: "Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries"
Maybe in reply to: Chris Paget: "White paper: Exploiting the Win32 API."
Next in thread: Marc Maiffret: "RE: White paper: Exploiting the Win32 API."
Next in thread: Roland Kaufmann: "Re: White paper: Exploiting the Win32 API."
Reply: Marc Maiffret: "RE: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris,

This class of attack is not new, it has been discussed before. While you
can assert that the blame lies with Microsoft (and I'll admit they do
have some responsibility to address the problem you describe) the chief
blame lies with the vendor of the software whose bad programming you are
exploiting. There is no excuse to put a window for a process with the
LocalSystem security context on a user's desktop. I am not aware of any
Microsoft application that makes such a mistake.

John Howie


-----Original Message-----
From: Chris Paget [mailto:ivegottaat_private] 
Sent: Tuesday, August 06, 2002 9:14 AM
To: bugtraqat_private
Subject: White paper: Exploiting the Win32 API.


I have written a white paper documenting what I believe is the first
public example of a new class of attacks against the Win32 API.  This
particular attack exploits major design flaws in the Win32 API in
order for a local user to escalate their privileges, either from the
console of a system or on a Terminal Services link.  The paper is
available at http://security.tombom.co.uk/shatter.html

In order to pre-empt some of the inevitable storm about responsible
disclosure, let me point out the following.

1)  The Win32 API has been in existence since the days of Windows
NT3.1, back in July 1993.  These vulnerabilities have been present
since then.

2)  Microsoft have known about these vulnerabilities for some time.
This research was sparked by comments by Jim Allchin talking under
oath at the Microsoft / DoJ trial some 3 months ago.
http://www.eweek.com/article2/0,3959,5264,00.asp  Given the age of the
Win32 API, I would be highly surprised if they have not known about
these attacks for considerably longer.

3)  Microsoft cannot fix these vulnerabilities.  These are inherent
flaws in the design and operation of the Win32 API.  This is not a bug
that can be fixed with a patch.

4)  The white paper documents one example of these class of flaws.
They have been discussed before on Bugtraq, however to my knowledge
there have been no public working exploits.  I have just documented
one way to get this thing working.

5)  This is not a bug.  This is a new class of vulnerabilities, like a
buffer overflow attack or a format string attack.  As such, there is
no specific vendor to inform, since it affects every software maker
who writes products for the Windows platform.  A co-ordinated release
with every software vendor on the planet is impossible.

Chris

-- 
Chris Paget
ivegottaat_private

Next message: Mike Benham: "IE SSL Vulnerability"
Previous message: securityat_private: "Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries"
Maybe in reply to: Chris Paget: "White paper: Exploiting the Win32 API."
Next in thread: Marc Maiffret: "RE: White paper: Exploiting the Win32 API."
Next in thread: Roland Kaufmann: "Re: White paper: Exploiting the Win32 API."
Reply: Marc Maiffret: "RE: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 12:46:03 PDT