Microsoft Window Utility Manager Local Elevation of Privileges

From: Vivek Rathod (Application Security, Inc.) (
Date: 07/13/04

  • Next message: phrack staff: "phrack #62 has been released"
    Date: Tue, 13 Jul 2004 16:00:33 -0400

    Microsoft Window Utility Manager Local Elevation of Privileges

    July 13, 2004

    Credit: This vulnerability was researched and discovered by Cesar Cerrudo.

    Risk Level: High

    Summary: A local elevation of privileges exists in the Windows Utility
    Manager which allows any user to take complete control over the
    operating system. This vulnerability affects the Windows 2000 operating
    system family.

    The Microsoft Windows 2000 operating system family supports a feature
    called Accessibility Options. Accessibility Options are a series of
    assistive technologies within Windows that help users with disabilities
    access the functions of the operating system. They can be enabled or
    disabled using shortcuts built into the operating system or through the
    Accessibility Utility Manager. The Accessibility Utility Manager allows
    users to start, stop, or monitor accessibility programs such as
    Microsoft Magnifier, Narrator, On-Screen Keyboard, etc... The Utility
    Manager can be invoked by pressing <Windows key>+U or, if the user is an
    Administrator, by executing "utilman.exe /start" from the command line.
    The Utility Manager runs as a Windows service enabled by default. When
    executed it runs within the interactive desktop with Local System

    Utility Manager supports context sensitive help which was accessed by
    clicking the "?" on the title bar of the Utility Manager window and then
    clicking an object or by pressing F1 key after selecting an object. To
    display the context sensitive help, Utility Manager loaded
    winhlp32.exe. However it did not drop System privileges when doing so
    meaning that winhlp32.exe was executed under the Local System account.
    Microsoft fixed this vulnerability with patch MS04-011. The patch failed
    to fix the problem because it only removed the context sensitive help
    from the Utility Manager GUI preventing help from being invoked from the
    main screen. However, the patch did not remove/disable the functionality
    used by the application to launch the context sensitive help (see for
    more details). Utility Manager continues to load winhlp32.exe without
    dropping privileges meaning that winhlp32.exe is still run under Local
    System account. A user need only to send several Windows messages and
    winhlp32.exe will be launched. From there, the user can open any file
    as a Local System account.

    To exploit the vulnerability, an attacker would need only to run the
    following code:

    //get window handle
    lHandle=FindWindow(NULL, "Utility Manager");
    //send right click on the app button in the taskbar or Alt+Space Bar
    //send WM_COMMANDHELP 0x0365 lParam must be<>NULL

    After this code has been executed, winhlp32.exe will ask the attacker to
    locate the umandlg.hlp help file. The attacker can then select "Yes" and
    an Open dialog will be shown. The attacker can then search and select
    cmd.exe. The attacker will then have a shell running under Local System

    It seems that Visual C++ MFC (Microsoft Foundation Class) (see ) will
    automatically include help functionality in an application regardless of
    whether or not this functionality will be utilized. Therefore, when
    coding desktop applications that will run with elevated privileges,
    remove all help functionality or drop account privileges before loading
    the help.

    (Previous vulnerability)

    (Current vulnerability)

    Disable Utility Manager Service.


    Thanks to Brett Moore and Esteban Martinez Fayo.

    AppSecInc Team SHATTER
    Tel: 1-866-927-7732
    Application Security, Inc.
    "Securing Business by Securing Enterprise Applications"

  • Next message: phrack staff: "phrack #62 has been released"

    Relevant Pages