Re: More on Shatter

From: Darryl Luff (darryl@snakegully.nu)
Date: 08/25/02 

Date: Mon, 26 Aug 2002 03:00:44 +1000
From: Darryl Luff <darryl@snakegully.nu>
To: HalbaSus <halbasus@go.ro>

HalbaSus wrote:

>I don't want to be rude but... we're talking about a win32 local exploit here
>!!!!
>
...

>3. As long as someone needs phisical access for this it's not really such a
>serious problem.. usually when someone has phisical access to a computer he
>can do mostly whatever he/she wants. Without using exploits...
>
You don't have to have physical access to run 'local' attacks, you just
need to get your code onto the system and run it. There are any number
of well known ways of doing that. So the problem is whether the context
your injected code or command line runs in has a privileged window
available to it or not.

I'd find it hard to believe that IIS doesn't have at least one
privileged hidden window running. But are they accessible to injected code?

I agree that if you have physical access you've won, but just because
you don't have physical access doesn't mean you've lost.

>4. And probably the most important reason: Shatter is one of those mostly
>harmless yet very neet exploits that you can impress your friends with... or
>
....

I don't think it can be called harmless, and I think that the more
people poke around with the available windows messages, the more
interesting possibilities will emerge.