Feeds

Win32 API utterly and irredeemably broken

So we're told

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list.

The research leading to this discovery was inspired by MS Veep Jim Allchin, who testified to the effect that if flaws in the Windows Messaging System were sufficiently understood, national security would be deeply compromised, CRUISE missiles would be launched remotely, and /bin/laden would most likely find some novel way of raping your daughter with his big bad mouse.

Paget has brought at least some of Allchin's fears to fruition:

"Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it sends a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

"This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel."

He's developed an application called "Shatter" (a bit grotty imho judging by a quick poking into the source files) that exploits the WMS in a limited context relevant to NAI VirusScan v4.5.1, which he believes can be expanded to suit numerous other applications.

It looks quite workable (I've not tested it), and if used properly with a hex editor and a debugger ought to yield an escalation of privilege within a running VirusScan window, from a user account to the LocalSystem account. Then you paste in your shellcode. Even if it's preposterously sloppy it should work; something like 4GB of space ought to be available. For your convenience Paget has provided an example, weighing in at a sleek 1.7KB (if you can't do that much on your own, you really ought not to be playing with stuff of this nature).

The next step is to abuse WM_TIMER:

"You can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue so the application doesn't even have the chance to ignore it. Silly, silly, silly...

"So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's [No Operation] in front of the shellcode, so we should land slap bang in the middle of them... Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy."

Several BugTraq skeptics have observed that it's more the application developer than MS which has made this possible.

"This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake," list member John Howie observes.

In any event you gotta love a guy with the nads to publish what has got to be the most unflattering portrait of himself ever taken, for which we're duly and humbly respectful.

On the other hand there is this bit of Gibson-esque self promotion: "able to program in 23 languages on 14 platforms, [Paget] takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant." Only 23, Chris? And only three days? With miraculous powers of comprehension like that we have to wonder what's slowing you down. If I could learn a language in three days, I'd be conversant in every last one of them, including archaeological freaks like ALGOL.

Somebody jokin'. ®

Update

Reader Gavin Brown points us to a Paget pic that probably belongs on Rotten.com.

Enjoy, sort of.

Security for virtualized datacentres

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Apple's OS X Yosemite slurps UNSAVED docs into iCloud
Docs, email contacts... shhhlooop, up it goes
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.