The utility manager has had many privilege escalation vulnerabilities in
the past related to 'shatter attacks'. While investigating for more
attack avenues it was discovered that utility manager will load a
winhlp32 process without dropping privileges. This winhlp32 process could
then be attacked and SYSTEM privileges obtained.
== Description ==
Although it drops privileges when loading help files through the 'help'
button, if the F1 key or the ? button were used to received context
sensitive help, winhlp32.exe is loaded with system privileges.
Winhlp32.exe loads as a hidden window which can then be exploited by
sending GDI messages to it. We discovered various 'undocumented' messages
used by winhlp32 including one message that will pass an address of a
structure containing function pointers. By sending an address of our
buffer execution flow could be redirected into our buffer.
Cesar Cerrudo, discovered this independently and exploited the winhlp32
process through a different set of messages method.
Both of these methods allow for a local user to execute code with SYSTEM
level rights.
== Solutions ==
== Credit ==
Discovered and advised to Microsoft October, 2004 by Brett Moore of
Security-Assessment.com
%-) the texan, the ninja and the unconventional.
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html