To add some input to these interesting thoughts... ------------------------------------------------------------ possible sendmessage exploitations for privilege enhancement ------------------------------------------------------------ * Causing local buffer overflows - A text box has a set size of 10, and the program which would probably have to be to be using non-standard methods ( encryption progs etc ), grabs the bytes calculated by the length of the textbox string, and stores in a fixed 10 byte buffer as it expects a max of 10. - We set the size to be larger than 10, and hey presto? brett > -----Original Message----- > From: Blue Boar [mailto:BlueBoarat_private] > Sent: Sunday, 7 July 2002 15:05 > To: vuln-devat_private > Subject: [Fwd: Re: Windows fuzz] > > > -------- Original Message -------- > Subject: Re: Windows fuzz > Date: 06 Jul 2002 21:35:33 +0100 > From: Simos Xenitellis <simos74at_private> > To: Blue Boar <BlueBoarat_private> > References: <3BDDF748.E13BAD83at_private> > <1004440837.4618.64.camelat_private> > <3BDED58F.C3FB7644at_private> > > Dear BB, > > I eventually managed to publish the mentioned paper and wrote a > demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/ > Feel free to pass the URL to the vuln-dev mailling list if you find it > suitable. > > Best regards, > Simos Xenitellis > > > Great information. You'll please post to the list when you can make it > > public? > > > BB > > > > Simos Xenitellis wrote: > > > > > > Hi, > > > I am writing an academic paper on such vulnerabilities in > event-driven > > > systems and I am sending it tomorrow to a conference for review. :) > > > > > > In event-driven systems it is common to be able to send events > > > (=messages) from unprivileged users to priviliged users (guest -> > > > Administrator). In Windows 2000, an unpriviliged process (example: > > > trojan horse) can enumerate all windows and identify the > important ones > > > for the title bar and so on. Then, it can send events to them with > > > PostMessage(). There is currently no protection as to who > has sent the > > > message. One can use it to send custom events but the most > interesting > > > aspect is the sending of legitimate messages to instruct the > victim to > > > do things you want it. > > > > > > For example, check WM_TIMER. The second argument is the address of a > > > function to execute. Thus, you can execute whatever lies in > the address > > > space of the victim. > > > > > > Once the paper gets accepted to the conference, I'll make it public. > > > > > > simos > > > > > > On 2001-10-30 at 00:41, Blue Boar wrote: > > > > I was looking at this page today: > > > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html > > > > After seeing it referenced in an NTBugtraq post. > > > > > > > > Naturally, I got to wondering if the problems described there could > > > > be taken advantage of for privilege elevation. It would involve > > > > being able to send Windows messages to another app, probably on the > > > > same physical machine. Anyone done anything along these lines, > > > > or can anyone point me at where I can read up on the security > > > > surrounding message passing? > > > > > > > > BB > > > > > > >
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 16:49:42 PDT