Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux

From: David A. Pérez (davidat_private)
Date: Fri Jul 11 2003 - 16:19:02 PDT

Next message: ge: "RE: New trojan turns home PCs into porno Web site hosts"

Previous message: XNUXER RESEARCH: "Samba Remote Exploit with connect back method and bruteforce mode"
In reply to: iDEFENSE Labs: "iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
Next in thread: Chris Paget: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> iDEFENSE has published a paper written by Oliver Lavery that clarifies
> what the flaws in the Windows event model are, describes a related
> vulnerability that continues to exist in many popular software products
> and suggests ways in which these "unfixable" flaws might be addressed.
> Titled "Win32 Message Vulnerabilities Redux," the paper is available at
> http://www.idefense.com/idpapers/Shatter_Redux.pdf .  The appropriate
> vendors mentioned within received an advance copy of this paper.

Nice document. Few comments on this:

The applications mentioned are intended to be used in non-server machines,
which are the most vulnerable. There are also a lot of aplications that in
most cases run in servers (off the top of my mind, MDaemon, and MTA for
Windows, which also creates a window that interacts with the desktop). This
applications are at least risk because in theory only administrators should
be allowed to log on to servers, but in some situations this is not the
case.

At the end of the day is an user scalates privileges on a workstation, he
won't be able to gain administrator acces to the network, but if that same
users scalates privileges on a server... oh, oh....

In the other hand, we do not need any third application to have a
interactive window running as service, windows provides us with this
"feature" off the shelf. Two examples:

C:\net send 127.0.0.1 Create a doggie window

And if command prompt has been disabled we can use Win+U to get up the
Utility Manager. The Utility Manager is launched by the winlogon process
with SYSTEM privileges and provides access to the "Accesibility tools" (good
title). This "trick" will only work in Windows 2000, it seems that Microsoft
has decided to do a good job and in Windows XP the utility manager is
launched twice, once by the process winlogon with SYSTEM privileges and once
again with user privileges. Only the second process exposes any windows to
the user.

And if any of this is not enough, we can try with the Infrared service, the
NetDDE agent and maybe more...

Salu2,

David A. Pérez

                              http://www.kamborio.com/
 _                       _                   _
| | __  __ _  _ __ ___  | |__    ___   _ __ (_)  ___
| |/ / / _` || '_ ` _ \ | '_ \  / _ \ | '__|| | / _ \
|   < | (_| || | | | | || |_) || (_) || |   | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/  \___/ |_|   |_| \___/
      El perdón es la venganza de los buenos (anónimo)

Next message: ge: "RE: New trojan turns home PCs into porno Web site hosts"
Previous message: XNUXER RESEARCH: "Samba Remote Exploit with connect back method and bruteforce mode"
In reply to: iDEFENSE Labs: "iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
Next in thread: Chris Paget: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 12 2003 - 16:03:30 PDT