Re: White paper: Exploiting the Win32 API.

From: Andrey Kolishak (andrat_private)
Date: Wed Aug 07 2002 - 00:57:13 PDT

Next message: Dimitri Sekhniashvili: "MidiCart Shopping Cart Software database vulnerability"

Previous message: Drew: "RE: Winhelp32 Remote Buffer Overrun"
In reply to: Chris Paget: "White paper: Exploiting the Win32 API."
Next in thread: Paul Starzetz: "Re: White paper: Exploiting the Win32 API."
Reply: Paul Starzetz: "Re: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe nothing new it that issue. WM_TIMER tricks were described by
Matt Pietrek in 1997, in Microsoft's MSJ

http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm
(sample included)

So it was noted already at least 5 years before Jim Allchin.
There is also well known trick with SetWindowsHookEx function (exploit
sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip
by buLLet) and so forth.

There is also article of Symeon Xenitellis "A New Avenue of Attack:
Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/

So it's strange that issue looks new for somebody, especially
experts.


Best regards,
 Andrey                            mailto:andrat_private





CP> I have written a white paper documenting what I believe is the first
CP> public example of a new class of attacks against the Win32 API.  This
CP> particular attack exploits major design flaws in the Win32 API in
CP> order for a local user to escalate their privileges, either from the
CP> console of a system or on a Terminal Services link.  The paper is
CP> available at http://security.tombom.co.uk/shatter.html

CP> In order to pre-empt some of the inevitable storm about responsible
CP> disclosure, let me point out the following.

CP> 1)  The Win32 API has been in existence since the days of Windows
CP> NT3.1, back in July 1993.  These vulnerabilities have been present
CP> since then.

CP> 2)  Microsoft have known about these vulnerabilities for some time.
CP> This research was sparked by comments by Jim Allchin talking under
CP> oath at the Microsoft / DoJ trial some 3 months ago.
CP> http://www.eweek.com/article2/0,3959,5264,00.asp  Given the age of the
CP> Win32 API, I would be highly surprised if they have not known about
CP> these attacks for considerably longer.

CP> 3)  Microsoft cannot fix these vulnerabilities.  These are inherent
CP> flaws in the design and operation of the Win32 API.  This is not a bug
CP> that can be fixed with a patch.

CP> 4)  The white paper documents one example of these class of flaws.
CP> They have been discussed before on Bugtraq, however to my knowledge
CP> there have been no public working exploits.  I have just documented
CP> one way to get this thing working.

CP> 5)  This is not a bug.  This is a new class of vulnerabilities, like a
CP> buffer overflow attack or a format string attack.  As such, there is
CP> no specific vendor to inform, since it affects every software maker
CP> who writes products for the Windows platform.  A co-ordinated release
CP> with every software vendor on the planet is impossible.

CP> Chris

Next message: Dimitri Sekhniashvili: "MidiCart Shopping Cart Software database vulnerability"
Previous message: Drew: "RE: Winhelp32 Remote Buffer Overrun"
In reply to: Chris Paget: "White paper: Exploiting the Win32 API."
Next in thread: Paul Starzetz: "Re: White paper: Exploiting the Win32 API."
Reply: Paul Starzetz: "Re: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 10 2002 - 18:19:56 PDT