-------- Original Message -------- Subject: Re: Windows fuzz Date: 06 Jul 2002 21:35:33 +0100 From: Simos Xenitellis <simos74at_private> To: Blue Boar <BlueBoarat_private> References: <3BDDF748.E13BAD83at_private> <1004440837.4618.64.camelat_private> <3BDED58F.C3FB7644at_private> Dear BB, I eventually managed to publish the mentioned paper and wrote a demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/ Feel free to pass the URL to the vuln-dev mailling list if you find it suitable. Best regards, Simos Xenitellis > Great information. You'll please post to the list when you can make it > public? > BB > > Simos Xenitellis wrote: > > > > Hi, > > I am writing an academic paper on such vulnerabilities in event-driven > > systems and I am sending it tomorrow to a conference for review. :) > > > > In event-driven systems it is common to be able to send events > > (=messages) from unprivileged users to priviliged users (guest -> > > Administrator). In Windows 2000, an unpriviliged process (example: > > trojan horse) can enumerate all windows and identify the important ones > > for the title bar and so on. Then, it can send events to them with > > PostMessage(). There is currently no protection as to who has sent the > > message. One can use it to send custom events but the most interesting > > aspect is the sending of legitimate messages to instruct the victim to > > do things you want it. > > > > For example, check WM_TIMER. The second argument is the address of a > > function to execute. Thus, you can execute whatever lies in the address > > space of the victim. > > > > Once the paper gets accepted to the conference, I'll make it public. > > > > simos > > > > On 2001-10-30 at 00:41, Blue Boar wrote: > > > I was looking at this page today: > > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html > > > After seeing it referenced in an NTBugtraq post. > > > > > > Naturally, I got to wondering if the problems described there could > > > be taken advantage of for privilege elevation. It would involve > > > being able to send Windows messages to another app, probably on the > > > same physical machine. Anyone done anything along these lines, > > > or can anyone point me at where I can read up on the security > > > surrounding message passing? > > > > > > BB > > > >
This archive was generated by hypermail 2b30 : Sat Jul 06 2002 - 20:08:46 PDT