Re: White paper: Exploiting the Win32 API.

[Roland Kaufmann <roland () ii uib no>]

In-Reply-To: <katvkuk81lk8srfaf2knq46of6k6jses1k () 4ax com>

> 3)  Microsoft cannot fix these vulnerabilities.  These are inherent
> flaws in the design and operation of the Win32 API.  This is not a
> bug that can be fixed with a patch.

I would like to rebut this statement. The vulternability seems to
depend on the usage of the WM_TIMER message to execute arbitrary
data that has been put in the target process' address space.

The following four patches would seem to remove this capability:

(a) The memory page where the edit box store the message should not 
be marked as executable but only as read/write. Even if the application
copies this memory, it should still be to a page marked as not
executable.

(b) WM_TIMER messages are posted to the message queue and can be
filtered by the application, as stated in the documentation for
this message. The application can have a list over timers and check
this for validity. (Moral of the story: Don't trust window message
parameters any more than user input).

(c) lParam may only be a value that has previously been registered
by SetTimer. GetMessage/PeekMessage or SendMessage/PostMessage can
be modified to verify this. (There has to be a list of timers for
the application somewhere)

(d) SendMessage/PostMessage could be modified to not dispatch or
GetMessage/PeekMessage could be modified to drop WM_TIMER messages 
(or any messages that takes addresses, like EM_GETLINE) to windows 
belonging to processes other than itself.