Feeds

Win32 API utterly and irredeemably broken

So we're told

  • alert
  • submit to reddit

Intelligent flash storage arrays

Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list.

The research leading to this discovery was inspired by MS Veep Jim Allchin, who testified to the effect that if flaws in the Windows Messaging System were sufficiently understood, national security would be deeply compromised, CRUISE missiles would be launched remotely, and /bin/laden would most likely find some novel way of raping your daughter with his big bad mouse.

Paget has brought at least some of Allchin's fears to fruition:

"Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it sends a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

"This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel."

He's developed an application called "Shatter" (a bit grotty imho judging by a quick poking into the source files) that exploits the WMS in a limited context relevant to NAI VirusScan v4.5.1, which he believes can be expanded to suit numerous other applications.

It looks quite workable (I've not tested it), and if used properly with a hex editor and a debugger ought to yield an escalation of privilege within a running VirusScan window, from a user account to the LocalSystem account. Then you paste in your shellcode. Even if it's preposterously sloppy it should work; something like 4GB of space ought to be available. For your convenience Paget has provided an example, weighing in at a sleek 1.7KB (if you can't do that much on your own, you really ought not to be playing with stuff of this nature).

The next step is to abuse WM_TIMER:

"You can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue so the application doesn't even have the chance to ignore it. Silly, silly, silly...

"So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's [No Operation] in front of the shellcode, so we should land slap bang in the middle of them... Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy."

Several BugTraq skeptics have observed that it's more the application developer than MS which has made this possible.

"This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake," list member John Howie observes.

In any event you gotta love a guy with the nads to publish what has got to be the most unflattering portrait of himself ever taken, for which we're duly and humbly respectful.

On the other hand there is this bit of Gibson-esque self promotion: "able to program in 23 languages on 14 platforms, [Paget] takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant." Only 23, Chris? And only three days? With miraculous powers of comprehension like that we have to wonder what's slowing you down. If I could learn a language in three days, I'd be conversant in every last one of them, including archaeological freaks like ALGOL.

Somebody jokin'. ®

Update

Reader Gavin Brown points us to a Paget pic that probably belongs on Rotten.com.

Enjoy, sort of.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.