White paper: Exploiting the Win32 API.

From: Chris Paget (ivegotta@TOMBOM.CO.UK)
Date: 08/08/02


Date:         Thu, 8 Aug 2002 11:17:27 +0100
From: Chris Paget <ivegotta@TOMBOM.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I've been asked to repost this here for those who don't read the more
general Bugtraq list...

Chris

-- 
Chris Paget
ivegotta@tombom.co.uk

I have written a white paper documenting what I believe is the first public example of a new class of attacks against the Win32 API. This particular attack exploits major design flaws in the Win32 API in order for a local user to escalate their privileges, either from the console of a system or on a Terminal Services link. The paper is available at http://security.tombom.co.uk/shatter.html

In order to pre-empt some of the inevitable storm about responsible disclosure, let me point out the following.

1) The Win32 API has been in existence since the days of Windows NT3.1, back in July 1993. These vulnerabilities have been present since then.

2) Microsoft have known about these vulnerabilities for some time. This research was sparked by comments by Jim Allchin talking under oath at the Microsoft / DoJ trial some 3 months ago. http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the Win32 API, I would be highly surprised if they have not known about these attacks for considerably longer.

3) Microsoft cannot fix these vulnerabilities. These are inherent flaws in the design and operation of the Win32 API. This is not a bug that can be fixed with a patch.

4) The white paper documents one example of these class of flaws. They have been discussed before on Bugtraq, however to my knowledge there have been no public working exploits. I have just documented one way to get this thing working.

5) This is not a bug. This is a new class of vulnerabilities, like a buffer overflow attack or a format string attack. As such, there is no specific vendor to inform, since it affects every software maker who writes products for the Windows platform. A co-ordinated release with every software vendor on the planet is impossible.

Chris

-- Chris Paget ivegotta@tombom.co.uk



Relevant Pages

  • Re: White paper: Exploiting the Win32 API.
    ... >This class of attack is not new, ... >blame lies with the vendor of the software whose bad programming you are ... >Microsoft application that makes such a mistake. ... >public example of a new class of attacks against the Win32 API. ...
    (Bugtraq)
  • White paper: Exploiting the Win32 API.
    ... I have written a white paper documenting what I believe is the first ... public example of a new class of attacks against the Win32 API. ... Microsoft have known about these vulnerabilities for some time. ... buffer overflow attack or a format string attack. ...
    (Bugtraq)
  • Re: White paper: Exploiting the Win32 API.
    ... Moreover the issue was mentioned in article of Symeon Xenitellis "A New Avenue of Attack: ... Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/ ... CP> public example of a new class of attacks against the Win32 API. ... CP> 2) Microsoft have known about these vulnerabilities for some time. ...
    (NT-Bugtraq)
  • Re: White paper: Exploiting the Win32 API.
    ... There is also article of Symeon Xenitellis "A New Avenue of Attack: ... Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/ ... CP> public example of a new class of attacks against the Win32 API. ... CP> 2) Microsoft have known about these vulnerabilities for some time. ...
    (Bugtraq)
  • RE: White paper: Exploiting the Win32 API.
    ... This class of attack is not new, ... Microsoft application that makes such a mistake. ... Subject: White paper: Exploiting the Win32 API. ... Microsoft have known about these vulnerabilities for some time. ...
    (Bugtraq)