Full Disclosure mailing list archives
Utility Manager - Failure to drop system privileges
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 15 Apr 2004 12:20:57 +1200
======================================================================== = Utility Manager - Failure to drop system privileges = = MS Bulletin posted: April 13, 2004 = http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx = = Affected Software: = Microsoft Windows 2000 = = Public disclosure on April 14, 2004 ======================================================================== The utility manager has had many privilege escalation vulnerabilities in the past related to 'shatter attacks'. While investigating for more attack avenues it was discovered that utility manager will load a winhlp32 process without dropping privileges. This winhlp32 process could then be attacked and SYSTEM privileges obtained. == Description == Although it drops privileges when loading help files through the 'help' button, if the F1 key or the ? button were used to received context sensitive help, winhlp32.exe is loaded with system privileges. Winhlp32.exe loads as a hidden window which can then be exploited by sending GDI messages to it. We discovered various 'undocumented' messages used by winhlp32 including one message that will pass an address of a structure containing function pointers. By sending an address of our buffer execution flow could be redirected into our buffer. Cesar Cerrudo, discovered this independently and exploited the winhlp32 process through a different set of messages method. Both of these methods allow for a local user to execute code with SYSTEM level rights. == Solutions == - Install the vendor supplied patch. - Interactive processes should not run under a higher level account. == Credit == Discovered and advised to Microsoft October, 2004 by Brett Moore of Security-Assessment.com %-) the texan, the ninja and the unconventional. == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Utility Manager - Failure to drop system privileges Brett Moore (Apr 14)