| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <KFEMINDBKGBEMHACCJHCCEEKEBAA.brett.moore@security-assessment.com> From: brett.moore at security-assessment.com (Brett Moore) Subject: Utility Manager - Failure to drop system privileges ======================================================================== = Utility Manager - Failure to drop system privileges = = MS Bulletin posted: April 13, 2004 = http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx = = Affected Software: = Microsoft Windows 2000 = = Public disclosure on April 14, 2004 ======================================================================== The utility manager has had many privilege escalation vulnerabilities in the past related to 'shatter attacks'. While investigating for more attack avenues it was discovered that utility manager will load a winhlp32 process without dropping privileges. This winhlp32 process could then be attacked and SYSTEM privileges obtained. == Description == Although it drops privileges when loading help files through the 'help' button, if the F1 key or the ? button were used to received context sensitive help, winhlp32.exe is loaded with system privileges. Winhlp32.exe loads as a hidden window which can then be exploited by sending GDI messages to it. We discovered various 'undocumented' messages used by winhlp32 including one message that will pass an address of a structure containing function pointers. By sending an address of our buffer execution flow could be redirected into our buffer. Cesar Cerrudo, discovered this independently and exploited the winhlp32 process through a different set of messages method. Both of these methods allow for a local user to execute code with SYSTEM level rights. == Solutions == - Install the vendor supplied patch. - Interactive processes should not run under a higher level account. == Credit == Discovered and advised to Microsoft October, 2004 by Brett Moore of Security-Assessment.com %-) the texan, the ninja and the unconventional. == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products.
Powered by blists - more mailing lists