Re: Process Killing - Playing with PostThreadMessage

[Georgi Guninski <guninski () guninski com>]

On Thu, 2 Oct 2003 17:28:14 +1200
"Brett Moore" <brett.moore () security-assessment com> wrote:

> It appears from our testing that any thread running under any security
> level will accept a WM_QUIT message, causing the process to terminate.

...
 
> While this does not have the security implications of 'privilege escalation'
> attacks, it may cause some concerns under certain circumstances.

In some circumstances this probably may be used for privilege escalation.
In windoze a process may escalate its privileges if a more privileged process writes to its named pipes. So if you 
manage to kill a process which holds important named pipe, then create the same named pipe and then someone writes to 
your named pipe you may elevate your privileges.
You may check http://www.guninski.com/dr07.html for an old demo.

georgi




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html