[NT] Microsoft Window Utility Manager Local Elevation of Privileges (MS04-019)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[REVS] 0x00 vs ASP File Upload Scripts"
    To: list@securiteam.com
    Date: 14 Jul 2004 10:21:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Microsoft Window Utility Manager Local Elevation of Privileges (MS04-019)


    A local elevation of privileges exists in the Windows Utility Manager
    which allows any user to take complete control over the operating system.
    This vulnerability affects the Windows 2000 operating system family.


    The Microsoft Windows 2000 operating system family supports a feature
    called Accessibility Options. Accessibility Options are a series of
    technologies that assist users within Windows. The aim of these
    technologies is to help users with disabilities access the functions of
    the operating system. They can be enabled or disabled using shortcuts
    built into the operating system or through the Accessibility Utility
    Manager. The Accessibility Utility Manager allows users to start, stop, or
    monitor accessibility programs such as Microsoft Magnifier, Narrator,
    On-Screen Keyboard, etc... The Utility Manager can be invoked by pressing
    <Windows key>+U or, if the user is an Administrator, by executing
    "utilman.exe /start" from the command line. The Utility Manager runs as a
    Windows service enabled by default. When executed it runs within the
    interactive desktop with Local System privileges.

    Utility Manager supports context sensitive help which was accessed by
    clicking the "?" on the title bar of the Utility Manager window and then
    clicking an object or by pressing F1 key after selecting an object. To
    display the context sensitive help, Utility Manager loaded winhlp32.exe.
    However it did not drop System privileges when doing so meaning that
    winhlp32.exe was executed under the Local System account. Microsoft fixed
    this vulnerability with patch MS04-011. The patch failed to fix the
    problem because it only removed the context sensitive help from the
    Utility Manager GUI preventing help from being invoked from the main
    screen. However, the patch did not remove/disable the functionality used
    by the application to launch the context sensitive help (see for more
    details). Utility Manager continues to load winhlp32.exe without dropping
    privileges meaning that winhlp32.exe is still run under Local System
    account. A user need only to send several Windows messages and
    winhlp32.exe will be launched. From there, the user can open any file as a
    Local System account.

    To exploit the vulnerability, an attacker would need only to run the
    following code:
    //get window handle
    lHandle=FindWindow(NULL, "Utility Manager");
    //send right click on the app button in the taskbar or Alt+Space Bar
    //send WM_COMMANDHELP 0x0365 lParam must be<>NULL

    After this code has been executed, winhlp32.exe will ask the attacker to
    locate the umandlg.hlp help file. The attacker can then select "Yes" and
    an Open dialog will be shown. The attacker can then search and select
    cmd.exe. The attacker will then have a shell running under Local System

    It seems that Visual C++ MFC (Microsoft Foundation Class) (see) will
    automatically include help functionality in an application regardless of
    whether or not this functionality will be utilized. Therefore, when coding
    desktop applications that will run with elevated privileges, remove all
    help functionality or drop account privileges before loading the help.

    Disable Utility Manager Service.



    (Previous vulnerability)
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en> http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

    (Current vulnerability)
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/html/_mfcnotes_tn028.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/html/_mfcnotes_tn028.asp
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_help.3a_.f1_and_shift.2b.f1_help.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_help.3a_.f1_and_shift.2b.f1_help.asp
    3. <http://www.microsoft.com/technet/security/bulletin/ms04-019.mspx>

    The information has been provided by <mailto:vrathod@appsecinc.com> Vivek
    Rathod (Application Security, Inc.).


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] 0x00 vs ASP File Upload Scripts"