SecurityvulnsSECURITYVULNS:DOC:6998SetWindowLong Shatter Attacks
========================================================================
= SetWindowLong Shatter Attacks
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx
= Affected Software:
= Microsoft Windows 98, 98SE, ME
= Microsoft Windows NT 4.0
= Microsoft Windows 2000 Service Pack 4
= Microsoft Windows XP, Microsoft Windows XP Service Pack 1
= Microsoft Windows Server 2003
= Public disclosure on October 14, 2004
== Overview ==
As explained in my presentation at Blackhat earlier this year, attacks
against the windows GUI do not stop with sending messages. In that
presentation I talked about the exploitative usage of the SetProp() API
method. The SetWindowLong()/SetWindowLongPtr() API's can also be used
to exploit certain applications for arbitrary advantage.
What advantage depends heavily on the application been targeted.
== Background ==
The SetWindowLong() function is documented in MSDN as;
The SetWindowLong function changes an attribute of the specified window.
The function also sets a 32-bit (long) value at the specified offset into
the extra window memory of a window.
LONG SetWindowLong(
HWND hWnd, // handle of window
int nIndex, // offset of value to set
LONG dwNewLong // new value
);
Parameters
hWnd
Handle to the window and, indirectly, the class to which the window
belongs.
nIndex
Specifies the zero-based offset to the value to be set. Valid values
are in the range zero through the number of bytes of extra window
memory, minus 4; for example, if you specified 12 or more bytes of
extra memory, a value of 8 would be an index to the third 32-bit integer.
To set any other value, specify one of the following values:
Value Action
GWL_EXSTYLE Sets a new extended window style.
GWL_STYLE Sets a new window style.
GWL_WNDPROC Sets a new address for the window procedure.
GWL_HINSTANCE Sets a new application instance handle.
GWL_ID Sets a new identifier of the window.
GWL_USERDATA Sets the 32-bit value associated with the window. Each
window has a corresponding 32-bit value intended for use
by the application that created the window.
The following values are also available when the hWnd parameter identifies
a dialog box:
Value Action
DWL_DLGPROC Sets the new address of the dialog box procedure.
DWL_MSGRESULT Sets the return value of a message processed in the
dialog box procedure.
DWL_USER Sets new extra information that is private to the
application, such as handles or pointers.
dwNewLong
Specifies the replacement value.
Remarks
The SetWindowLong function fails if the window specified by the hWnd
parameter does not belong to the same process as the calling thread.
The functions compliment is the GetWindowLong() function, which is used
to retrieve a value.
Even though the remarks section is documented as written above, it is not
a true statement.
As with the SendMessage() function (as used by standard shatter attacks)
any user can call the SetWindowLong() function to alter the data stored
in the window memory.
== Exploitation ==
We founds multiple third party and core windows services that used the
memory space pointed to by the GWL_USERDATA, to store specific data. In
some cases this data could be manipulated to gain execution control.
Since each application stores different information in this memory and
therefore the exploitation differs, we can not explain them all. We will
however give a quick example of how execution control could be obtained.
We discovered that [Service X], that did not normally have a window, could
be enticed into generating an error that would display a window. The
service stored a pointer to a lookup table in the window memory pointed to
by GWL_USERDATA. This lookup table held the address of functions, and was
later used to retrieve an address and pass it to a CALL instruction.
By using the process mapped heap, as explained in my Blackhat presentation,
it was possible to place our shellcode into a known location. We could also
construct a new lookup table, pointing to our shellcode, in a known
location.
Then by using SetWIndowLongPtr() API we replaced the pointer to the lookup
table with the address of our new lookup table. The service would use our
lookup table and execution would therefore reach the shellcode.
== Solutions ==
- Install the vendor supplied patch.
- Interactive processes should not run under a higher level account.
== Credit ==
Discovered and advised to Microsoft Feburary 05, 2004 by Brett Moore of
Security-Assessment.com
%-) Ceaser, Derek and all others working on new explotation methodsβ¦
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
β
NTBugtraq Editor's Note: