[NT] Microsoft Windows Utility Manager Vulnerability (MS04-11)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04
- Previous message: SecuriTeam: "[EXPL] Utility Manager Local Privileges Escalation Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Apr 2004 12:09:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Utility Manager Vulnerability (MS04-11)
------------------------------------------------------------------------
SUMMARY
A local elevation of privileges vulnerability exists on the Windows
Utility Manager that allows to any user to take complete control over the
operating system.
DETAILS
Microsoft Windows 2000 contains support for Accessibility options within
the operating system. Accessibility support is a series of human-assisting
technologies within Windows that allow users with disabilities to still be
able to access the functions of the operating system. Accessibility
support is enabled or disabled through shortcuts built into the operating
system, or through the Accessibility Utility Manager. The Utility Manager
is an accessibility utility that allows users to check the status of
Accessibility programs (Magnifier, Narrator, On-Screen Keyboard) and start
or stop them. The Utility Manager can be invoked by pressing Windows Key +
U or executing "utilman.exe /start" from the command line. The Utility
Manager Service is enabled by default and runs in the interactive desktop
with Local System privileges.
The Utility Manager has support for context sensitive help. Users can
access this by clicking in the "?" on the title bar and then on an object
or by pressing the F1 key after selecting an object. In order to display
the help, Utility Manager loads winhlp32.exe but does not drop System
privileges. Therefore, winhlp32.exe is executed under the Local System
account. While winhlp32.exe is executing it is possible to send Windows
messages to it and attack it with "Shatter" style attacks.
Winhlp32.exe is executed with its main window hidden but it is very
trivial to make it visible. Once the window is made visible, a typical
attack would involve using the "File Open" dialog to execute a program
such as "cmd.exe." Since the Help window has Local System privileges, the
executed program will have the same privileges.
Solution:
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en> http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
ADDITIONAL INFORMATION
The information has been provided by <mailto:vrathod@appsecinc.com> Vivek
Rathod (Application Security, Inc.).
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Utility Manager Local Privileges Escalation Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
