Vulnerability Development mailing list archives
Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability
From: Simon <simos74 () gmx net>
Date: Tue, 05 Oct 2004 20:03:16 +0100
miguel.dilaj () pharma novartis com wrote:
Looks like a usability versus security issue, where usability takes priority.Hi Tony,I used a similar trick in the past to deactivate McAffee 4.x (needed to use some xploits like Debploit and runasx in WinNT4, at that time the only protection was the antivirus, now we migrated to XP). The configuration GUI was password protected, and even when the passwords were show as asterisks tools to reveal passwords hidden by asterisks only show a dummy string ('12345678'). But tools to activate greyed controls worked like a charm, so in fact it was possible to activate them and change the settings, deactivate the AV, etc. The tool I used for the trick was VeoVeo, a Spanish tool available at www.hackindex.org (that has functionalities to reveal passwords hidden by asterisks, activate greyed controls, activate greyed menu items, and a simple keylogger that doesn't need administrative privileges to be installed/used). The point for me is that, even when NAI commit a mistake by providing the configuration GUI to be available for control activation, the real problem is Windows (IMHO) that allows that, not the antivirus itself. With the same kind of "tricks" you can go activating controls all along your Windoze applications, with more than unpredictable results ;-)
In Windows you can programmatically list (enumerate) all available windows and retrieve their window handles. From this window handle, you can obtain attribute information such as caption name, location, parent/children, etc.
You can also use it to send your own window events, even custom ones.In essense, you can use events as an additional "input" to attack an application, along with the inputs described in the excellent Secure Programming for Linux and Unix HOWTO (http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/input.html)
Microsoft seems to have realised that trying to write "privileged" programs that take care of events and make sure that, let's say, a trojan does not shutdown your firewall/antivirus, is not practical (it's like trying to remove buffer overflows? :), so they advice developers to use "window stations" instead.
"Window stations" is a functionality found in Windows 2k/XP/etc that creates separate event queues within the same session; an application from one session cannot enumerate or send events to a window in another window station. In the same concept are "desktop windows"; A window station can contain several desktop windows.
Using window station, you can separate much of the functionality of your AV/firewall/etc and let it run in a different window station. However, for usability purposes you still need the user to be able to control the service, so I believe it has to run in the current window station. Tough problem.
More on this at http://www.isg.rhul.ac.uk/~simos/HITB/ Simos http://simos.info/
Current thread:
- Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability Tony Montana (Oct 01)
- <Possible follow-ups>
- Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability miguel . dilaj (Oct 05)
- Re: Kaspersky AntiVirus Window Caption GUI Bypass Vulnerability Simon (Oct 05)