Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6077
HistoryApr 15, 2004 - 12:00 a.m.

[Full-Disclosure] Utility Manager - Failure to drop system privileges

2004-04-1500:00:00
vulners.com
11

========================================================================
= Utility Manager - Failure to drop system privileges

= MS Bulletin posted: April 13, 2004
= http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

= Affected Software:
= Microsoft Windows 2000

= Public disclosure on April 14, 2004

The utility manager has had many privilege escalation vulnerabilities in
the past related to 'shatter attacks'. While investigating for more
attack avenues it was discovered that utility manager will load a
winhlp32 process without dropping privileges. This winhlp32 process could
then be attacked and SYSTEM privileges obtained.

== Description ==

Although it drops privileges when loading help files through the 'help'
button, if the F1 key or the ? button were used to received context
sensitive help, winhlp32.exe is loaded with system privileges.

Winhlp32.exe loads as a hidden window which can then be exploited by
sending GDI messages to it. We discovered various 'undocumented' messages
used by winhlp32 including one message that will pass an address of a
structure containing function pointers. By sending an address of our
buffer execution flow could be redirected into our buffer.

Cesar Cerrudo, discovered this independently and exploited the winhlp32
process through a different set of messages method.

Both of these methods allow for a local user to execute code with SYSTEM
level rights.

== Solutions ==

  • Install the vendor supplied patch.
  • Interactive processes should not run under a higher level account.

== Credit ==

Discovered and advised to Microsoft October, 2004 by Brett Moore of
Security-Assessment.com

%-) the texan, the ninja and the unconventional.

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html