Bugtraq mailing list archives
Re: Microsoft Window Utility Manager Local Elevation of Privileges
From: Chris Paget <ivegotta () tombom co uk>
Date: Wed, 14 Jul 2004 12:58:05 +0100
On Tue, 13 Jul 2004 16:00:33 -0400, you wrote:
Microsoft Window Utility Manager Local Elevation of Privileges
<snip>
To exploit the vulnerability, an attacker would need only to run the following code: After this code has been executed, winhlp32.exe will ask the attacker to locate the umandlg.hlp help file. The attacker can then select "Yes" and an Open dialog will be shown. The attacker can then search and select cmd.exe. The attacker will then have a shell running under Local System privileges.
This isn't quite right - on my system at least, browsing for cmd.exe in this way generates an error: "The C:\WINNT\system32\cmd.exe file is not a Windows Help file, or the file is corrupted." That said, the file dialog can be made to display a ListView control (display details rather than a list). This ListView control will accept both WM_SETTEXT (to inject shellcode into the caption of the window) followed by LVM_SORTITEMS (which specifies the address for a sort function) to execute said code. It is a valid method for arbitrary code execution as LocalSystem, but not quite as simply as Vivek makes out. Chris -- Chris Paget ivegotta () tombom co uk
Current thread:
- Microsoft Window Utility Manager Local Elevation of Privileges Vivek Rathod (Application Security, Inc.) (Jul 13)
- Re: Microsoft Window Utility Manager Local Elevation of Privileges Chris Paget (Jul 14)
- Re: Microsoft Window Utility Manager Local Elevation of Privileges KF (lists) (Jul 15)
- Re: Microsoft Window Utility Manager Local Elevation of Privileges Cesar (Jul 17)
- Re: Microsoft Window Utility Manager Local Elevation of Privileges Chris Paget (Jul 14)