Bugtraq mailing list archives
Re: White paper: Exploiting the Win32 API.
From: Roland Kaufmann <roland () ii uib no>
Date: 7 Aug 2002 13:49:23 -0000
In-Reply-To: <katvkuk81lk8srfaf2knq46of6k6jses1k () 4ax com>
3) Microsoft cannot fix these vulnerabilities. These are inherent flaws in the design and operation of the Win32 API. This is not a bug that can be fixed with a patch.
I would like to rebut this statement. The vulternability seems to depend on the usage of the WM_TIMER message to execute arbitrary data that has been put in the target process' address space. The following four patches would seem to remove this capability: (a) The memory page where the edit box store the message should not be marked as executable but only as read/write. Even if the application copies this memory, it should still be to a page marked as not executable. (b) WM_TIMER messages are posted to the message queue and can be filtered by the application, as stated in the documentation for this message. The application can have a list over timers and check this for validity. (Moral of the story: Don't trust window message parameters any more than user input). (c) lParam may only be a value that has previously been registered by SetTimer. GetMessage/PeekMessage or SendMessage/PostMessage can be modified to verify this. (There has to be a list of timers for the application somewhere) (d) SendMessage/PostMessage could be modified to not dispatch or GetMessage/PeekMessage could be modified to drop WM_TIMER messages (or any messages that takes addresses, like EM_GETLINE) to windows belonging to processes other than itself.
Current thread:
- White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chad Loder (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- Re: White paper: Exploiting the Win32 API. Andrey Kolishak (Aug 10)
- Re: White paper: Exploiting the Win32 API. Paul Starzetz (Aug 27)
- <Possible follow-ups>
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 06)
- Re: White paper: Exploiting the Win32 API. Florian Weimer (Aug 06)
- RE: White paper: Exploiting the Win32 API. Marc Maiffret (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 06)
- Re: White paper: Exploiting the Win32 API. Roland Kaufmann (Aug 07)
- Re: White paper: Exploiting the Win32 API. Adam Megacz (Aug 07)
- Re: White paper: Exploiting the Win32 API. Chris Calabrese (Aug 07)
- Re: White paper: Exploiting the Win32 API. slack3r (Aug 07)
- RE: White paper: Exploiting the Win32 API. Kenn Humborg (Aug 10)
- RE: White paper: Exploiting the Win32 API. John Howie (Aug 07)
- Re: White paper: Exploiting the Win32 API. Simos Xenitellis (Aug 09)
- RE: White paper: Exploiting the Win32 API. Rothe, Greg (G.A.) (Aug 28)
- RE: White paper: Exploiting the Win32 API. Drew (Aug 28)
- Re: White paper: Exploiting the Win32 API. Chris Paget (Aug 29)
- RE: White paper: Exploiting the Win32 API. Drew (Aug 28)