[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <004001c34802$d0bfefc0$1800a8c0@rosina>
Date: Sat, 12 Jul 2003 00:19:02 +0100
From: David A. Pérez <david@...borio.net>
To: <bugtraq@...urityfocus.com>
Subject: Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux
> iDEFENSE has published a paper written by Oliver Lavery that clarifies
> what the flaws in the Windows event model are, describes a related
> vulnerability that continues to exist in many popular software products
> and suggests ways in which these "unfixable" flaws might be addressed.
> Titled "Win32 Message Vulnerabilities Redux," the paper is available at
> http://www.idefense.com/idpapers/Shatter_Redux.pdf . The appropriate
> vendors mentioned within received an advance copy of this paper.
Nice document. Few comments on this:
The applications mentioned are intended to be used in non-server machines,
which are the most vulnerable. There are also a lot of aplications that in
most cases run in servers (off the top of my mind, MDaemon, and MTA for
Windows, which also creates a window that interacts with the desktop). This
applications are at least risk because in theory only administrators should
be allowed to log on to servers, but in some situations this is not the
case.
At the end of the day is an user scalates privileges on a workstation, he
won't be able to gain administrator acces to the network, but if that same
users scalates privileges on a server... oh, oh....
In the other hand, we do not need any third application to have a
interactive window running as service, windows provides us with this
"feature" off the shelf. Two examples:
C:\net send 127.0.0.1 Create a doggie window
And if command prompt has been disabled we can use Win+U to get up the
Utility Manager. The Utility Manager is launched by the winlogon process
with SYSTEM privileges and provides access to the "Accesibility tools" (good
title). This "trick" will only work in Windows 2000, it seems that Microsoft
has decided to do a good job and in Windows XP the utility manager is
launched twice, once by the process winlogon with SYSTEM privileges and once
again with user privileges. Only the second process exposes any windows to
the user.
And if any of this is not enough, we can try with the Infrared service, the
NetDDE agent and maybe more...
Salu2,
David A. Pérez
http://www.kamborio.com/
_ _ _
| | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___
| |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \
| < | (_| || | | | | || |_) || (_) || | | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/
El perdón es la venganza de los buenos (anónimo)
Powered by blists - more mailing lists