lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <KFEMINDBKGBEMHACCJHCCEEKEBAA.brett.moore@security-assessment.com>
From: brett.moore at security-assessment.com (Brett Moore)
Subject: Utility Manager - Failure to drop system privileges

========================================================================
= Utility Manager - Failure to drop system privileges
=
= MS Bulletin posted: April 13, 2004
= http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
=
= Affected Software: 
= 	Microsoft Windows 2000
=
= Public disclosure on April 14, 2004
========================================================================

The utility manager has had many privilege escalation vulnerabilities in
the past related to 'shatter attacks'. While investigating for more 
attack avenues it was discovered that utility manager will load a 
winhlp32 process without dropping privileges. This winhlp32 process could
then be attacked and SYSTEM privileges obtained.

== Description ==

Although it drops privileges when loading help files through the 'help' 
button, if the F1 key or the ? button were used to received context 
sensitive help, winhlp32.exe is loaded with system privileges.

Winhlp32.exe loads as a hidden window which can then be exploited by 
sending GDI messages to it. We discovered various 'undocumented' messages
used by winhlp32 including one message that will pass an address of a 
structure containing function pointers. By sending an address of our 
buffer execution flow could be redirected into our buffer.

Cesar Cerrudo, discovered this independently and exploited the winhlp32
process through a different set of messages method. 

Both of these methods allow for a local user to execute code with SYSTEM
level rights.

== Solutions ==

- Install the vendor supplied patch.
- Interactive processes should not run under a higher level account.

== Credit ==

Discovered and advised to Microsoft October, 2004 by Brett Moore of
Security-Assessment.com

%-) the texan, the ninja and the unconventional.

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ