Related information

Windows multiple bugs

WindowsXP malformed .wmf files DoS

Microsoft Security Bulletin MS04-019 Vulnerability in Utility Manager Could Allow Code Execution (842526)

Microsoft Window Utility Manager Local Elevation of Privileges

[VulnWatch] [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability

From:	Brett Moore <brett.moore_(at)_SECURITY-ASSESSMENT.COM>
Date:	15.04.2004
Subject:	[Full-Disclosure] Utility Manager - Failure to drop system privileges

========================================================================
= Utility Manager - Failure to drop system privileges
=
= MS Bulletin posted: April 13, 2004
= http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
=
= Affected Software:
=       Microsoft Windows 2000
=
= Public disclosure on April 14, 2004
========================================================================

The utility manager has had many privilege escalation vulnerabilities in
the past related to 'shatter attacks'. While investigating for more
attack avenues it was discovered that utility manager will load a
winhlp32 process without dropping privileges. This winhlp32 process could
then be attacked and SYSTEM privileges obtained.

== Description ==

Although it drops privileges when loading help files through the 'help'
button, if the F1 key or the ? button were used to received context
sensitive help, winhlp32.exe is loaded with system privileges.

Winhlp32.exe loads as a hidden window which can then be exploited by
sending GDI messages to it. We discovered various 'undocumented' messages
used by winhlp32 including one message that will pass an address of a
structure containing function pointers. By sending an address of our
buffer execution flow could be redirected into our buffer.

Cesar Cerrudo, discovered this independently and exploited the winhlp32
process through a different set of messages method.

Both of these methods allow for a local user to execute code with SYSTEM
level rights.

== Solutions ==

- Install the vendor supplied patch.
- Interactive processes should not run under a higher level account.

== Credit ==

Discovered and advised to Microsoft October, 2004 by Brett Moore of
Security-Assessment.com

%-) the texan, the ninja and the unconventional.

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html