Bugtraq mailing list archives
RE: Microsoft Windows CreateRemoteThread Exploit
From: "Michael Wojcik" <Michael.Wojcik () microfocus com>
Date: Fri, 2 Dec 2005 06:41:18 -0800
From: q7x () ashiyane com [mailto:q7x () ashiyane com] Sent: Thursday, 01 December, 2005 05:02 Description: when the one process open with OpenProcess function and use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash. an example hackers can use this method for kill firewalls and antiviruses
If an attacker can successfully call OpenProcess() on a process with arbitrary access, then they can just request PROCESS_TERMINATE access and terminate the process with TerminateProcsss(). Other attacks are obviously possible with other forms of access. I don't see how this particular feature is a vulnerability unless an attacker can somehow perform a successful OpenProcess() but only with PROCESS_CREATE_THREAD access. And even then, why couldn't the attacker just do: CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit, NULL, 0, NULL); or indeed create a remote thread with any other useful function the process has mapped? This "exploit" boils down to "if I can make a process call address 0, I can cause an exception in it". Well, sure. If you can make a process execute arbitrary code, you can do all sorts of things. An attacker who can successfully open a security-critical process has already won. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Current thread:
- Microsoft Windows CreateRemoteThread Exploit q7x (Dec 01)
- Re: Microsoft Windows CreateRemoteThread Exploit Anton (Dec 02)
- <Possible follow-ups>
- RE: Microsoft Windows CreateRemoteThread Exploit Michael Wojcik (Dec 02)
- Re: Re: Microsoft Windows CreateRemoteThread Exploit warl0ck (Dec 03)