lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <11352F9641010A418AD5057945A3A6591F1251@MTV-EXCHANGE.microfocus.com>
Date: Fri, 2 Dec 2005 06:41:18 -0800
From: "Michael Wojcik" <Michael.Wojcik@...rofocus.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Microsoft Windows CreateRemoteThread Exploit


> From: q7x@...iyane.com [mailto:q7x@...iyane.com] 
> Sent: Thursday, 01 December, 2005 05:02
>
>   Description:
>    when the one process open with  OpenProcess function and 
> use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash.
>    an example hackers can use this method for kill firewalls 
> and antiviruses

If an attacker can successfully call OpenProcess() on a process with
arbitrary access, then they can just request PROCESS_TERMINATE access
and terminate the process with TerminateProcsss().  Other attacks are
obviously possible with other forms of access.

I don't see how this particular feature is a vulnerability unless an
attacker can somehow perform a successful OpenProcess() but only with
PROCESS_CREATE_THREAD access.  And even then, why couldn't the attacker
just do:

CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit,
NULL, 0, NULL);

or indeed create a remote thread with any other useful function the
process has mapped?

This "exploit" boils down to "if I can make a process call address 0, I
can cause an exception in it".  Well, sure.  If you can make a process
execute arbitrary code, you can do all sorts of things.

An attacker who can successfully open a security-critical process has
already won.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ