Re: White paper: Exploiting the Win32 API.

From: Andrey Kolishak (andr@SANDY.RU)
Date: 08/08/02

Date:         Thu, 8 Aug 2002 15:03:23 +0200
From: Andrey Kolishak <andr@SANDY.RU>

nothing new it that issue. WM_TIMER tricks were described by
Matt Pietrek in 1997, in Microsoft's MSJ
(sample included)

So it was noted already at least 5 years before Jim Allchin.
There is also well known trick with SetWindowsHookEx function (exploit
by buLLet) and so forth.

Moreover the issue was mentioned in article of Symeon Xenitellis "A New Avenue of Attack:
Event-driven system vulnerabilities"


CP> I have written a white paper documenting what I believe is the first
CP> public example of a new class of attacks against the Win32 API. This
CP> particular attack exploits major design flaws in the Win32 API in
CP> order for a local user to escalate their privileges, either from the
CP> console of a system or on a Terminal Services link. The paper is
CP> available at

CP> In order to pre-empt some of the inevitable storm about responsible
CP> disclosure, let me point out the following.

CP> 1) The Win32 API has been in existence since the days of Windows
CP> NT3.1, back in July 1993. These vulnerabilities have been present
CP> since then.

CP> 2) Microsoft have known about these vulnerabilities for some time.
CP> This research was sparked by comments by Jim Allchin talking under
CP> oath at the Microsoft / DoJ trial some 3 months ago.
CP>,3959,5264,00.asp Given the age of the
CP> Win32 API, I would be highly surprised if they have not known about
CP> these attacks for considerably longer.

CP> 3) Microsoft cannot fix these vulnerabilities. These are inherent
CP> flaws in the design and operation of the Win32 API. This is not a bug
CP> that can be fixed with a patch.

CP> 4) The white paper documents one example of these class of flaws.
CP> They have been discussed before on Bugtraq, however to my knowledge
CP> there have been no public working exploits. I have just documented
CP> one way to get this thing working.

CP> 5) This is not a bug. This is a new class of vulnerabilities, like a
CP> buffer overflow attack or a format string attack. As such, there is
CP> no specific vendor to inform, since it affects every software maker
CP> who writes products for the Windows platform. A co-ordinated release
CP> with every software vendor on the planet is impossible.

CP> Chris