Scary: An UNFIXABLE windows bug has been exploited. So easy anyone can do it....

[Martin]

A short paper written on the subject

it provides you with the program you need to exploit the bug, as well as the instructions, which are easy enough for everyone here to follow. With it you can gain full priviledges from a guest account!

Background - the Win32 messaging system

Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it send a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes that own them.

Apperantly this is unfixable right now and MS does not even consider it a flaw/bug.

 

[hoihtah]

wow...

i gotta try this

 

[singh]

It is NOT a bug. LMAO!

 

[DeschutesCore]

This isn't a bug. If this were to be "fixed", you couldn't control Winamp with 3rd party remote control software, plugins wouldn't work, and Excel couldn't talk to Word, etc. This is getting old. It's called illicit programming, not a bug. A bug is something that errors or causes damage for no reason, an exploit is taking advantage of something that should be taken advantage of. Calling a Windows message a bug is just senseless. Any programmer can cause programs / the entire environment to fail in any OS.

If anything, it's an issue Macaffe would need to fix, not MS.

DC

 

[Sir Fredrick]

Hahaha. As a programmer, I find that hilarious.
It's not a bug or a flaw. There are easier ways to mess with a system than to try to manipulate a program that's running by sending it user interface messages.

 

[DivideBYZero]

How lame.

If your doing that then you already made it into the system.....no need to mess with messaging.

....Whats your point?

 

[bsobel]

Originally posted by: DivideBYZero
How lame.

If your doing that then you already made it into the system.....no need to mess with messaging.

....Whats your point?

The point is using it for privledge escalation. The bug referenced is in VirusScan, not Windows.

Bill

 

[Alphathree33]

Was this paper written by an english major after a 30 second conversation with a beginner programmer?

 

[Nevyn522]

The point the author was trying to make was that someone could elevate their user privileges if desired -- in other words, a student logged in as "Guest" on a computer system in a school lab could gain administrator access -- to that machine. Through some further trickery other things could be attained, I'd assume, but... the work to do it is almost too much of a hassle.

The message-passing mechanism is designed that way to allow easy programming -- the author trying to claim that he "Discovered" this... well, I suppose if he's never read ANY book on Windows programming, or tried to use ANY of the legitimate development tools that use that mechanism to test programs, well... then, I guess he's a brilliant discoverer.

But this is, by and large, not a MS/Windows issue at all. Some lunkhead at Network Associates should be ignoring that message for an edit box -- and further more, the administrator on the local machine should be running a VirusScanner as a service with no UI elements for you to try to track down. Read the email MS replied with -- NA blew it, MS didn't. Someone's just trying to get a name.

 

[CaptainGoodnight]

Well, it is and isn't unfixable. Mostly, this is a problem with the software itself (not Windows): you shouldn't be running application windows with LOCALSYSTEM perms on a desktop.

Nonetheless, my thoughts:

The author's assertion that rooting an individual box is the same as getting/easily allows getting the network admin ability is utter and complete bullshit.

This can be solved by properly separating the GUI windows to configure and the services themselves.

In his proposed fixes, specifically #2, he doesn't point out that it makes sense to disallow sending messages to a program *only* if the program has higher perms. This would be a fairly simple fix, could be made by MS w/o any action by software authors, and would go a long way to fixing these problems. It doesn't have to be all or nothing.

Letting folks run random programs on individual computers is a recipe for disaster.

If you write a program that runs w/ elevated perms, trusting the param from a WM_TIMER message is equivalently stupid to trusting that nobody will overflow a buffer and using sprintf all over the damn place. That being said, another fix MS could do would be, in the SendMessage API call being used to send these messages, check the value of WM_TIMER message params. This might break some software that relies on this exploit, though, but this would do a lot of good.


Edit: This problem can be solved from the 3rd party developers end by writing a proper application with the service and gui components split into their component parts. Yes it takes a little more work, but on the flip side would you think very highly of a Linux programmer who writes a SUID daemon that interacts with any user who logs onto the terminal or through X? As I am sure I dont have to point out - this is VERY stupid.

So give the MS bashing a rest as even most of /. whores had enough sense to disregard the claims of the moron who wrote this "paper" in the first place. Experienced Windows Developers know not to do this, Microsoft tells you not to do it, and anybody with half a brain (e.g. a conjoined twin) could understand why this is a BAD thing.

 

[Nemesis77]

During his second day on the stand, Allchin conceded that Microsoft has already identified at least one protocol and two APIs that it plans to withhold from public disclosure under the security carve-out.

The protocol, which is part of Message Queuing, contains a coding mistake that would threaten the security of enterprise systems using it if it were disclosed, Allchin said.

When pressed for further details, Allchin said he did not want to offer specifics because Microsoft is trying to work on its reputation regarding security. "The fact that I even mentioned the Message Queuing thing bothers me," he said.

Link

Hmmmmm.....

 

[dlaw]

He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed.

I like this saying.

 

[bsobel]

Nemesis, I hope you weren't implying that this was the same issue. Windows 'messages' and Windows Message Queing are two completely different and unrelated technologies.

Bill

 

[Nemesis77]

Originally posted by: bsobel
Nemesis, I hope you weren't implying that this was the same issue. Windows 'messages' and Windows Message Queing are two completely different and unrelated technologies.

Bill

I don't know what I was implying . I didn't read the article, just noticed that it was about messaging, and that I have read about bug in the Message Queing.