I posted this response to full-disclosure earlier, so I may as well post it here too... iDefense are absolutely correct in saying that EM_SETWORDBREAKPROC can be used in exactly the same way that WM_TIMER can, in order to force another application to jump to an arbitrary location in memory. They are also correct in saying that the problems are not unfixable; it was perhaps a little hasty on my part to state this in the original white paper. However, I do not believe that the iDefense paper takes the issue far enough; here at NGS we have discovered many new techniques for exploiting Shatter attacks. Their technique for injecting shellcode, while working acceptably, is just one of many that we have located; EM_SETWORDBREAKPROC, while dangerous, is likewise just one example of many new Shatter techniques for code execution that we have independantly discovered. For example: MS03-025 is a patch for a Shatter vulnerability in the Utility Manager service, installed by default and running as LocalSystem on Windows 2000 computers. It is vulnerable to privilege escalation attacks using the LVM_SORTITEMS message. The Microsoft advisory on the issue can be found at http://www.microsoft.com/security/security_bulletins/ms03-025.asp while the NGS advisory can be found at http://www.nextgenss.com/advisories/utilitymanager.txt I will be presenting on the subject of Shatter at the Black Hat Briefings in Las Vegas, at the end of July. I will be discussing in detail the new issues we have found, correcting some errors in the original paper, releasing several new exploits for Shatter attacks (some for privilege escalation, and some for rather different issues), and discussing the depth of the issue as well as proposing in detail some solutions for fixing them. Please don't ask me for more information until then; I'm happy to discuss the original paper, the iDefense paper, and the MS03-025 patch, but I will not be providing more information about my Black Hat presentation until after the event. Rest assured that there is a lot of new content in it, and I will be around at both Black Hat and Def Con afterwards to answer any questions that are outstanding. Two things in particular that I would like to state in response to the iDefense paper. Firstly, while the technique of filtering messages that are received by an application will work, it is an approach from the wrong side. It is a "We know this is bad so we'll filter it" approach, while what is needed is a "We know this is good so we'll allow it" solution. I will be explaining two alternative solutions in detail at Black Hat, although all three potentially suffer from the same problem. Secondly, the iDefense paper indicates that Microsoft's security best practices are not to have highly privileged windows on a low-privileged desktop; this is not a firm stance from Microsoft. In fact, their latest statement on the issue (in the text for the WM_TIMER patch - MS02-071) states: "I saw a posting Microsoft authored shortly after this issue was reported, in which you said the problem was that processes with differing levels of privilege were running on the interactive desktop. It sounds like youve changed your opinion. We have. When we initially examined the situation, we concluded that the problem here lay solely in the fact that highly-privileged and lower-privileged processes were both present in the interactive desktop. We pointed out that, by design, all processes on the interactive desktop are peers, and stated that we believed the real solution was to not mix processes of varying privileges. However, upon deeper investigation, we determined that the real answer is somewhat more complicated. Its possible for a highly privilege process to coexist safely with less privileged processes on the interactive desktop, provided that its been properly designed to vet all requests before acting on them. However, the flaw in WM_TIMER would undermine these safeguards even if they were present. As a result, although we still recommend that developers use extreme care before writing a process that has high privileges and runs in the interactive desktop, we believe that in this case the real culprit is the flaw in WM_TIMER." To state Microsoft's policy as recommending that highly privileged applications should not interact with users is somewhat misleading, if not actually erroneous. Microsoft's stance on the issue is unclear, at best. That said, I applaud iDefense for their research, and I am grateful to them for taking the time to read and understand the issue, and then investigate it in more depth. Hopefully, this paper and the presentation I deliver at Black Hat will have the desired effect of spurring more research into the problem, increasing the average developers understanding of the problem, and preventing the attacks as far as is possible. Chris Paget On Fri, 11 Jul 2003, iDEFENSE Labs wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > iDEFENSE Security Advisory 07.11.03: > http://www.idefense.com/advisory/07.11.03.txt > Win32 Message Vulnerabilities Redux > July 11, 2003 > > About one year ago, Chris Paget published a pair of papers that > described fundamental flaws in the way the Microsoft Corp. Windows > event model is designed. Paget showed how these flaws led to a class of > attacks he dubbed "Shatter attacks," and claimed that they were both > widespread and unfixable. The boldness of these claims led to a rash of > media coverage of this exploit, and a sizeable debate within the > security community about the accuracy and importance of his claims. In > response to the pressure exerted by this attention, Microsoft published > security bulletin MS02-071 and an associated patch, which has led many > to believe that Shatter attacks are no longer possible. > > iDEFENSE has published a paper written by Oliver Lavery that clarifies > what the flaws in the Windows event model are, describes a related > vulnerability that continues to exist in many popular software products > and suggests ways in which these "unfixable" flaws might be addressed. > Titled "Win32 Message Vulnerabilities Redux," the paper is available at > http://www.idefense.com/idpapers/Shatter_Redux.pdf . The appropriate > vendors mentioned within received an advance copy of this paper. > > > Get paid for security research > http://www.idefense.com/contributor.html > > Subscribe to iDEFENSE Advisories: > send email to listserv@idefense.com, subject line: "subscribe" > > > About iDEFENSE: > > iDEFENSE is a global security intelligence company that proactively > monitors sources throughout the world - from technical > vulnerabilities and hacker profiling to the global spread of viruses > and other malicious code. Our security intelligence services provide > decision-makers, frontline security professionals and network > administrators with timely access to actionable intelligence > and decision support on cyber-related threats. For more information, > visit http://www.idefense.com . > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBPw6rlfrkky7kqW5PEQJeLgCZARhd4z3PataAdcYr1D+qJfn5HiUAnAu3 > 9NVvCks9nOi9SojuaeeyQKl7 > =3dy3 > -----END PGP SIGNATURE----- > >