[Fwd: Re: Windows fuzz]

From: Blue Boar (BlueBoarat_private)
Date: Sat Jul 06 2002 - 20:04:56 PDT

Next message: Jose Nazario: "Re: Google lists vulnerable sites."

Previous message: Charles 'core' Stevenson: "Re: Ports 0-1023?"
Next in thread: Brett Moore: "Windows fuzz - Following on."
Reply: Brett Moore: "Windows fuzz - Following on."
Reply: Andreas Hasenack: "Re: [Fwd: Re: Windows fuzz]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------- Original Message --------
Subject: Re: Windows fuzz
Date: 06 Jul 2002 21:35:33 +0100
From: Simos Xenitellis <simos74at_private>
To: Blue Boar <BlueBoarat_private>
References: <3BDDF748.E13BAD83at_private>	<1004440837.4618.64.camelat_private> 
<3BDED58F.C3FB7644at_private>

Dear BB,

I eventually managed to publish the mentioned paper and wrote a
demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/
Feel free to pass the URL to the vuln-dev mailling list if you find it
suitable.

Best regards,
Simos Xenitellis

 > Great information.  You'll please post to the list when you can make it
 > public?
 > 		 
	BB
 >
 > Simos Xenitellis wrote:
 > >
 > > Hi,
 > > I am writing an academic paper on such vulnerabilities in event-driven
 > > systems and I am sending it tomorrow to a conference for review. :)
 > >
 > > In event-driven systems it is common to be able to send events
 > > (=messages) from unprivileged users to priviliged users (guest ->
 > > Administrator). In Windows 2000, an unpriviliged process (example:
 > > trojan horse) can enumerate all windows and identify the important ones
 > > for the title bar and so on. Then, it can send events to them with
 > > PostMessage(). There is currently no protection as to who has sent the
 > > message. One can use it to send custom events but the most interesting
 > > aspect is the sending of legitimate messages to instruct the victim to
 > > do things you want it.
 > >
 > > For example, check WM_TIMER. The second argument is the address of a
 > > function to execute. Thus, you can execute whatever lies in the address
 > > space of the victim.
 > >
 > > Once the paper gets accepted to the conference, I'll make it public.
 > >
 > > simos
 > >
 > > On 2001-10-30 at 00:41, Blue Boar wrote:
 > > > I was looking at this page today:
 > > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html
 > > > After seeing it referenced in an NTBugtraq post.
 > > >
 > > > Naturally, I got to wondering if the problems described there could
 > > > be taken advantage of for privilege elevation.  It would involve
 > > > being able to send Windows messages to another app, probably on the
 > > > same physical machine.  Anyone done anything along these lines,
 > > > or can anyone point me at where I can read up on the security
 > > > surrounding message passing?
 > > >
 > > >                               BB
 > > >
 >

application/pgp-signature attachment: signature.asc

Next message: Jose Nazario: "Re: Google lists vulnerable sites."
Previous message: Charles 'core' Stevenson: "Re: Ports 0-1023?"
Next in thread: Brett Moore: "Windows fuzz - Following on."
Reply: Brett Moore: "Windows fuzz - Following on."
Reply: Andreas Hasenack: "Re: [Fwd: Re: Windows fuzz]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 06 2002 - 20:08:46 PDT