Feeds

Win32 API utterly and irredeemably broken

So we're told

  • alert
  • submit to reddit

Security for virtualized datacentres

Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list.

The research leading to this discovery was inspired by MS Veep Jim Allchin, who testified to the effect that if flaws in the Windows Messaging System were sufficiently understood, national security would be deeply compromised, CRUISE missiles would be launched remotely, and /bin/laden would most likely find some novel way of raping your daughter with his big bad mouse.

Paget has brought at least some of Allchin's fears to fruition:

"Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it sends a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

"This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel."

He's developed an application called "Shatter" (a bit grotty imho judging by a quick poking into the source files) that exploits the WMS in a limited context relevant to NAI VirusScan v4.5.1, which he believes can be expanded to suit numerous other applications.

It looks quite workable (I've not tested it), and if used properly with a hex editor and a debugger ought to yield an escalation of privilege within a running VirusScan window, from a user account to the LocalSystem account. Then you paste in your shellcode. Even if it's preposterously sloppy it should work; something like 4GB of space ought to be available. For your convenience Paget has provided an example, weighing in at a sleek 1.7KB (if you can't do that much on your own, you really ought not to be playing with stuff of this nature).

The next step is to abuse WM_TIMER:

"You can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue so the application doesn't even have the chance to ignore it. Silly, silly, silly...

"So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's [No Operation] in front of the shellcode, so we should land slap bang in the middle of them... Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy."

Several BugTraq skeptics have observed that it's more the application developer than MS which has made this possible.

"This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake," list member John Howie observes.

In any event you gotta love a guy with the nads to publish what has got to be the most unflattering portrait of himself ever taken, for which we're duly and humbly respectful.

On the other hand there is this bit of Gibson-esque self promotion: "able to program in 23 languages on 14 platforms, [Paget] takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant." Only 23, Chris? And only three days? With miraculous powers of comprehension like that we have to wonder what's slowing you down. If I could learn a language in three days, I'd be conversant in every last one of them, including archaeological freaks like ALGOL.

Somebody jokin'. ®

Update

Reader Gavin Brown points us to a Paget pic that probably belongs on Rotten.com.

Enjoy, sort of.

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.