lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <407EAE30.1000800@appsecinc.com> From: vrathod at appsecinc.com (Vivek Rathod (Application Security, Inc.)) Subject: [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability Microsoft Windows Utility Manager Vulnerability April 13, 2004 Risk Level: High Summary: A local elevation of privileges vulnerability exists on the Windows Utility Manager that allows to any user to take complete control over the operating system. Versions Affected: All products in the Windows 2000 operating system family. Details: Microsoft Windows 2000 contains support for Accessibility options within the operating system. Accessibility support is a series of assistive technologies within Windows that allow users with disabilities to still be able to access the functions of the operating system. Accessibility support is enabled or disabled through shortcuts built into the operating system, or through the Accessibility Utility Manager. The Utility Manager is an accessibility utility that allows users to check the status of Accessibility programs (Magnifier, Narrator, On- Screen Keyboard) and start or stop them. The Utility Manager can be invoked by pressing Windows Key + U or executing "utilman.exe /start" from the command line. The Utility Manager Service is enabled by default and runs in the interactive desktop with Local System privileges. The Utility Manager has support for context sensitive help. Users can access this by clicking in the "?" on the title bar and then on an object or by pressing the F1 key after selecting an object. In order to display the help, Utility Manager loads winhlp32.exe but does not drop System privileges. Therefore, winhlp32.exe is executed under the Local System account. While winhlp32.exe is executing it is possible to send Windows messages to it and attack it with "Shatter" style attacks. Winhlp32.exe is executed with its main window hidden but it is very trivial to make it visible. Once the window is made visible, a typical attack would involve using the ?File Open? dialog to execute a program such as ?cmd.exe.? Since the Help window has Local System privileges, the executed program will have the same privileges. Further information is available at: http://www.appsecinc.com/resources/alerts/general/04-0001.html http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Fix: http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en Acknowledgments: Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc. (http://www.appsecinc.com) and to Brett Moore of Security-Assessment.com (http://security-assessment.com). Please find the proof-of-concept exploit code attached ___________________________________________ AppSecInc Team SHATTER Tel: 1-866-927-7732 E-mail: shatter@...secinc.com Web: www.appsecinc.com Application Security, Inc. "Securing Business by Securing Enterprise Applications" -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: UtilManExploit.c Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040415/fd23caea/UtilManExploit.c
Powered by blists - more mailing lists