Re: White paper: Exploiting the Win32 API.

From: Andrey Kolishak (andr@SANDY.RU)
Date: 08/08/02


Date:         Thu, 8 Aug 2002 15:03:23 +0200
From: Andrey Kolishak <andr@SANDY.RU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

nothing new it that issue. WM_TIMER tricks were described by
Matt Pietrek in 1997, in Microsoft's MSJ

http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm
(sample included)

So it was noted already at least 5 years before Jim Allchin.
There is also well known trick with SetWindowsHookEx function (exploit
sample http://www.uinc.ru/scripts/load.cgi?articles/19/InjectDLL.zip
by buLLet) and so forth.

Moreover the issue was mentioned in article of Symeon Xenitellis "A New Avenue of Attack:
Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/

 Andrey mailto:andr@sandy.ru

CP> I have written a white paper documenting what I believe is the first
CP> public example of a new class of attacks against the Win32 API. This
CP> particular attack exploits major design flaws in the Win32 API in
CP> order for a local user to escalate their privileges, either from the
CP> console of a system or on a Terminal Services link. The paper is
CP> available at http://security.tombom.co.uk/shatter.html

CP> In order to pre-empt some of the inevitable storm about responsible
CP> disclosure, let me point out the following.

CP> 1) The Win32 API has been in existence since the days of Windows
CP> NT3.1, back in July 1993. These vulnerabilities have been present
CP> since then.

CP> 2) Microsoft have known about these vulnerabilities for some time.
CP> This research was sparked by comments by Jim Allchin talking under
CP> oath at the Microsoft / DoJ trial some 3 months ago.
CP> http://www.eweek.com/article2/0,3959,5264,00.asp Given the age of the
CP> Win32 API, I would be highly surprised if they have not known about
CP> these attacks for considerably longer.

CP> 3) Microsoft cannot fix these vulnerabilities. These are inherent
CP> flaws in the design and operation of the Win32 API. This is not a bug
CP> that can be fixed with a patch.

CP> 4) The white paper documents one example of these class of flaws.
CP> They have been discussed before on Bugtraq, however to my knowledge
CP> there have been no public working exploits. I have just documented
CP> one way to get this thing working.

CP> 5) This is not a bug. This is a new class of vulnerabilities, like a
CP> buffer overflow attack or a format string attack. As such, there is
CP> no specific vendor to inform, since it affects every software maker
CP> who writes products for the Windows platform. A co-ordinated release
CP> with every software vendor on the planet is impossible.

CP> Chris



Relevant Pages

  • Risks Digest 25.17
    ... Firmware-based phone vulnerabilities ... A Low-cost Attack on a Microsoft CAPTCHA (Jeff Yan and Ahmad Salah El Ahmad ... An iTunes file database problem Apple will never fix ...
    (comp.risks)
  • Re: White paper: Exploiting the Win32 API.
    ... >This class of attack is not new, ... >blame lies with the vendor of the software whose bad programming you are ... >Microsoft application that makes such a mistake. ... >public example of a new class of attacks against the Win32 API. ...
    (Bugtraq)
  • Re: White paper: Exploiting the Win32 API.
    ... There is also article of Symeon Xenitellis "A New Avenue of Attack: ... Event-driven system vulnerabilities" http://www.isg.rhul.ac.uk/~simos/event_demo/ ... CP> public example of a new class of attacks against the Win32 API. ... CP> 2) Microsoft have known about these vulnerabilities for some time. ...
    (Bugtraq)
  • White paper: Exploiting the Win32 API.
    ... I have written a white paper documenting what I believe is the first ... public example of a new class of attacks against the Win32 API. ... Microsoft have known about these vulnerabilities for some time. ... buffer overflow attack or a format string attack. ...
    (Bugtraq)
  • RE: White paper: Exploiting the Win32 API.
    ... This class of attack is not new, ... Microsoft application that makes such a mistake. ... Subject: White paper: Exploiting the Win32 API. ... Microsoft have known about these vulnerabilities for some time. ...
    (Bugtraq)