Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6083
HistoryApr 15, 2004 - 12:00 a.m.

[VulnWatch] [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability

2004-04-1500:00:00
vulners.com
19
JSON

Microsoft Windows Utility Manager Vulnerability

April 13, 2004

Risk Level: High

Summary:
A local elevation of privileges vulnerability exists on the Windows Utility
Manager that allows to any user to take complete control over the operating
system.

Versions Affected:
All products in the Windows 2000 operating system family.

Details:
Microsoft Windows 2000 contains support for Accessibility options within
the
operating system. Accessibility support is a series of assistive
technologies
within Windows that allow users with disabilities to still be able to
access the
functions of the operating system. Accessibility support is enabled or
disabled
through shortcuts built into the operating system, or through the
Accessibility
Utility Manager. The Utility Manager is an accessibility utility that
allows
users to check the status of Accessibility programs (Magnifier,
Narrator, On-
Screen Keyboard) and start or stop them. The Utility Manager can be
invoked by
pressing Windows Key + U or executing "utilman.exe /start" from the command
line. The Utility Manager Service is enabled by default and runs in the
interactive desktop with Local System privileges.

The Utility Manager has support for context sensitive help. Users can
access
this by clicking in the "?" on the title bar and then on an object or by
pressing the F1 key after selecting an object. In order to display the
help,
Utility Manager loads winhlp32.exe but does not drop System privileges.
Therefore, winhlp32.exe is executed under the Local System account. While
winhlp32.exe is executing it is possible to send Windows messages to it and
attack it with "Shatter" style attacks.

Winhlp32.exe is executed with its main window hidden but it is very
trivial to
make it visible. Once the window is made visible, a typical attack would
involve using the β€œFile Open” dialog to execute a program such as
β€œcmd.exe.”
Since the Help window has Local System privileges, the executed program
will
have the same privileges.

Further information is available at:
http://www.appsecinc.com/resources/alerts/general/04-0001.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Fix:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Acknowledgments:
Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application
Security, Inc. (http://www.appsecinc.com) and to
Brett Moore of Security-Assessment.com (http://security-assessment.com).

Please find the proof-of-concept exploit code attached

AppSecInc Team SHATTER
Tel: 1-866-927-7732
E-mail: [email protected]
Web: www.appsecinc.com

Application Security, Inc.
"Securing Business by Securing Enterprise Applications"

Related

securityvulns 3
cert 1
cve 2
nessus 1
openvas 1
securityvulns
securityvulns
Microsoft Window Utility Manager Local Elevation of Privileges
2004-07-14 00:00:00
Microsoft Security Bulletin MS04-011
2004-04-14 00:00:00
US-CERT Technical Cyber Security Alert TA04-104A -- Multiple Vulnerabilities in Microsoft Products
2004-04-14 00:00:00
cert
cert
Microsoft Windows Utility Manager contains vulnerability in the way it launches applications
2004-04-14 00:00:00
cve
cve
CVE-2004-0213
2004-08-06 04:00:00
CVE-2003-0908
2004-06-01 04:00:00
nessus
nessus
MS04-011: Microsoft Hotfix (credentialed check) (835732)
2004-04-13 00:00:00
openvas
openvas
MS04-011 security check
2009-03-15 00:00:00
JSON
Related for SECURITYVULNS:DOC:6083
securityvulns3cert1cve2nessus1openvas1