Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 8

2002-08-06T00:00:00
ID EDB-ID:21691
Type exploitdb
Reporter anonymous
Modified 2002-08-06T00:00:00

Description

MS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (8). CVE-2002-1230. Local exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/5408/info
       
A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges.
       
** Microsoft has released a statement regarding this issue. Please see the References section for details.
       
A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner.
       
Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls.
       
Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21691.zip