Full Disclosure mailing list archives
SetWindowLong Shatter Attacks
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 14 Oct 2004 12:13:42 +1300
======================================================================== = SetWindowLong Shatter Attacks = = MS Bulletin posted: = http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx = = Affected Software: = Microsoft Windows 98, 98SE, ME = Microsoft Windows NT 4.0 = Microsoft Windows 2000 Service Pack 4 = Microsoft Windows XP, Microsoft Windows XP Service Pack 1 = Microsoft Windows Server 2003 = = Public disclosure on October 14, 2004 ======================================================================== == Overview == As explained in my presentation at Blackhat earlier this year, attacks against the windows GUI do not stop with sending messages. In that presentation I talked about the exploitative usage of the SetProp() API method. The SetWindowLong()/SetWindowLongPtr() API's can also be used to exploit certain applications for arbitrary advantage. What advantage depends heavily on the application been targeted. == Background == The SetWindowLong() function is documented in MSDN as; ------------------------------------------------------------------------- The SetWindowLong function changes an attribute of the specified window. The function also sets a 32-bit (long) value at the specified offset into the extra window memory of a window. LONG SetWindowLong( HWND hWnd, // handle of window int nIndex, // offset of value to set LONG dwNewLong // new value ); Parameters hWnd Handle to the window and, indirectly, the class to which the window belongs. nIndex Specifies the zero-based offset to the value to be set. Valid values are in the range zero through the number of bytes of extra window memory, minus 4; for example, if you specified 12 or more bytes of extra memory, a value of 8 would be an index to the third 32-bit integer. To set any other value, specify one of the following values: Value Action GWL_EXSTYLE Sets a new extended window style. GWL_STYLE Sets a new window style. GWL_WNDPROC Sets a new address for the window procedure. GWL_HINSTANCE Sets a new application instance handle. GWL_ID Sets a new identifier of the window. GWL_USERDATA Sets the 32-bit value associated with the window. Each window has a corresponding 32-bit value intended for use by the application that created the window. The following values are also available when the hWnd parameter identifies a dialog box: Value Action DWL_DLGPROC Sets the new address of the dialog box procedure. DWL_MSGRESULT Sets the return value of a message processed in the dialog box procedure. DWL_USER Sets new extra information that is private to the application, such as handles or pointers. dwNewLong Specifies the replacement value. Remarks The SetWindowLong function fails if the window specified by the hWnd parameter does not belong to the same process as the calling thread. ------------------------------------------------------------------------- The functions compliment is the GetWindowLong() function, which is used to retrieve a value. Even though the remarks section is documented as written above, it is not a true statement. As with the SendMessage() function (as used by standard shatter attacks) any user can call the SetWindowLong() function to alter the data stored in the window memory. == Exploitation == We founds multiple third party and core windows services that used the memory space pointed to by the GWL_USERDATA, to store specific data. In some cases this data could be manipulated to gain execution control. Since each application stores different information in this memory and therefore the exploitation differs, we can not explain them all. We will however give a quick example of how execution control could be obtained. We discovered that [Service X], that did not normally have a window, could be enticed into generating an error that would display a window. The service stored a pointer to a lookup table in the window memory pointed to by GWL_USERDATA. This lookup table held the address of functions, and was later used to retrieve an address and pass it to a CALL instruction. By using the process mapped heap, as explained in my Blackhat presentation, it was possible to place our shellcode into a known location. We could also construct a new lookup table, pointing to our shellcode, in a known location. Then by using SetWIndowLongPtr() API we replaced the pointer to the lookup table with the address of our new lookup table. The service would use our lookup table and execution would therefore reach the shellcode. == Solutions == - Install the vendor supplied patch. - Interactive processes should not run under a higher level account. == Credit == Discovered and advised to Microsoft Feburary 05, 2004 by Brett Moore of Security-Assessment.com %-) Ceaser, Derek and all others working on new explotation methods.. == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. ###################################################################### CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ###################################################################### _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SetWindowLong Shatter Attacks Brett Moore (Oct 14)