[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Utility Manager - Failure to drop system privileges
- To: "Full-Disclosure@Lists. Netsys. Com" <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Utility Manager - Failure to drop system privileges
- From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 15 Apr 2004 12:20:57 +1200
========================================================================
= Utility Manager - Failure to drop system privileges
=
= MS Bulletin posted: April 13, 2004
= http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
=
= Affected Software:
= Microsoft Windows 2000
=
= Public disclosure on April 14, 2004
========================================================================
The utility manager has had many privilege escalation vulnerabilities in
the past related to 'shatter attacks'. While investigating for more
attack avenues it was discovered that utility manager will load a
winhlp32 process without dropping privileges. This winhlp32 process could
then be attacked and SYSTEM privileges obtained.
== Description ==
Although it drops privileges when loading help files through the 'help'
button, if the F1 key or the ? button were used to received context
sensitive help, winhlp32.exe is loaded with system privileges.
Winhlp32.exe loads as a hidden window which can then be exploited by
sending GDI messages to it. We discovered various 'undocumented' messages
used by winhlp32 including one message that will pass an address of a
structure containing function pointers. By sending an address of our
buffer execution flow could be redirected into our buffer.
Cesar Cerrudo, discovered this independently and exploited the winhlp32
process through a different set of messages method.
Both of these methods allow for a local user to execute code with SYSTEM
level rights.
== Solutions ==
- Install the vendor supplied patch.
- Interactive processes should not run under a higher level account.
== Credit ==
Discovered and advised to Microsoft October, 2004 by Brett Moore of
Security-Assessment.com
%-) the texan, the ninja and the unconventional.
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html