> iDEFENSE has published a paper written by Oliver Lavery that clarifies > what the flaws in the Windows event model are, describes a related > vulnerability that continues to exist in many popular software products > and suggests ways in which these "unfixable" flaws might be addressed. > Titled "Win32 Message Vulnerabilities Redux," the paper is available at > http://www.idefense.com/idpapers/Shatter_Redux.pdf . The appropriate > vendors mentioned within received an advance copy of this paper. Nice document. Few comments on this: The applications mentioned are intended to be used in non-server machines, which are the most vulnerable. There are also a lot of aplications that in most cases run in servers (off the top of my mind, MDaemon, and MTA for Windows, which also creates a window that interacts with the desktop). This applications are at least risk because in theory only administrators should be allowed to log on to servers, but in some situations this is not the case. At the end of the day is an user scalates privileges on a workstation, he won't be able to gain administrator acces to the network, but if that same users scalates privileges on a server... oh, oh.... In the other hand, we do not need any third application to have a interactive window running as service, windows provides us with this "feature" off the shelf. Two examples: C:\net send 127.0.0.1 Create a doggie window And if command prompt has been disabled we can use Win+U to get up the Utility Manager. The Utility Manager is launched by the winlogon process with SYSTEM privileges and provides access to the "Accesibility tools" (good title). This "trick" will only work in Windows 2000, it seems that Microsoft has decided to do a good job and in Windows XP the utility manager is launched twice, once by the process winlogon with SYSTEM privileges and once again with user privileges. Only the second process exposes any windows to the user. And if any of this is not enough, we can try with the Infrared service, the NetDDE agent and maybe more... Salu2, David A. Pérez http://www.kamborio.com/ _ _ _ | | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___ | |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \ | < | (_| || | | | | || |_) || (_) || | | || (_) | |_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/ El perdón es la venganza de los buenos (anónimo)
