Vulnerability Development mailing list archives

[Fwd: Re: Windows fuzz]

From: Blue Boar <BlueBoar () thievco com>
Date: Sat, 06 Jul 2002 20:04:56 -0700

-------- Original Message --------
Subject: Re: Windows fuzz
Date: 06 Jul 2002 21:35:33 +0100
From: Simos Xenitellis <simos74 () gmx net>
To: Blue Boar <BlueBoar () thievco com>

References: <3BDDF748.E13BAD83 () thievco com> <1004440837.4618.64.camel () pc96 ma rhul ac uk><3BDED58F.C3FB7644 () thievco com>


Dear BB,

I eventually managed to publish the mentioned paper and wrote a
demonstration page at http://www.isg.rhul.ac.uk/~simos/event_demo/
Feel free to pass the URL to the vuln-dev mailling list if you find it
suitable.

Best regards,
Simos Xenitellis

> Great information.  You'll please post to the list when you can make it
> public?

>BB

>
> Simos Xenitellis wrote:
> >
> > Hi,
> > I am writing an academic paper on such vulnerabilities in event-driven
> > systems and I am sending it tomorrow to a conference for review. :)
> >
> > In event-driven systems it is common to be able to send events
> > (=messages) from unprivileged users to priviliged users (guest ->
> > Administrator). In Windows 2000, an unpriviliged process (example:
> > trojan horse) can enumerate all windows and identify the important ones
> > for the title bar and so on. Then, it can send events to them with
> > PostMessage(). There is currently no protection as to who has sent the
> > message. One can use it to send custom events but the most interesting
> > aspect is the sending of legitimate messages to instruct the victim to
> > do things you want it.
> >
> > For example, check WM_TIMER. The second argument is the address of a
> > function to execute. Thus, you can execute whatever lies in the address
> > space of the victim.
> >
> > Once the paper gets accepted to the conference, I'll make it public.
> >
> > simos
> >
> > On 2001-10-30 at 00:41, Blue Boar wrote:
> > > I was looking at this page today:
> > > http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html
> > > After seeing it referenced in an NTBugtraq post.
> > >
> > > Naturally, I got to wondering if the problems described there could
> > > be taken advantage of for privilege elevation.  It would involve
> > > being able to send Windows messages to another app, probably on the
> > > same physical machine.  Anyone done anything along these lines,
> > > or can anyone point me at where I can read up on the security
> > > surrounding message passing?
> > >
> > >                               BB
> > >
>

Attachment: signature.asc
Description:

Current thread:

[Fwd: Re: Windows fuzz] Blue Boar (Jul 06)
- Windows fuzz - Following on. Brett Moore (Jul 09)
- Re: [Fwd: Re: Windows fuzz] Andreas Hasenack (Jul 12)