Feeds

Win32 API utterly and irredeemably broken

So we're told

  • alert
  • submit to reddit

3 Big data security analytics techniques

Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list.

The research leading to this discovery was inspired by MS Veep Jim Allchin, who testified to the effect that if flaws in the Windows Messaging System were sufficiently understood, national security would be deeply compromised, CRUISE missiles would be launched remotely, and /bin/laden would most likely find some novel way of raping your daughter with his big bad mouse.

Paget has brought at least some of Allchin's fears to fruition:

"Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it sends a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

"This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel."

He's developed an application called "Shatter" (a bit grotty imho judging by a quick poking into the source files) that exploits the WMS in a limited context relevant to NAI VirusScan v4.5.1, which he believes can be expanded to suit numerous other applications.

It looks quite workable (I've not tested it), and if used properly with a hex editor and a debugger ought to yield an escalation of privilege within a running VirusScan window, from a user account to the LocalSystem account. Then you paste in your shellcode. Even if it's preposterously sloppy it should work; something like 4GB of space ought to be available. For your convenience Paget has provided an example, weighing in at a sleek 1.7KB (if you can't do that much on your own, you really ought not to be playing with stuff of this nature).

The next step is to abuse WM_TIMER:

"You can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue so the application doesn't even have the chance to ignore it. Silly, silly, silly...

"So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's [No Operation] in front of the shellcode, so we should land slap bang in the middle of them... Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy."

Several BugTraq skeptics have observed that it's more the application developer than MS which has made this possible.

"This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake," list member John Howie observes.

In any event you gotta love a guy with the nads to publish what has got to be the most unflattering portrait of himself ever taken, for which we're duly and humbly respectful.

On the other hand there is this bit of Gibson-esque self promotion: "able to program in 23 languages on 14 platforms, [Paget] takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant." Only 23, Chris? And only three days? With miraculous powers of comprehension like that we have to wonder what's slowing you down. If I could learn a language in three days, I'd be conversant in every last one of them, including archaeological freaks like ALGOL.

Somebody jokin'. ®

Update

Reader Gavin Brown points us to a Paget pic that probably belongs on Rotten.com.

Enjoy, sort of.

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.