Sunday, February 3, 2013

HWND_BROADCAST

A few years ago while working on Windows sandboxing, I noticed a few relatively minor problems with Job Objects, Desktops and related facilities. I reported them to Microsoft, who said they don't consider these supported security boundaries and declined to fix them, but this was no big deal and I dropped the issue. The chrome security guys developed techniques to workaround some of these bugs in Chrome instead.

One of the problems I described was how broadcast messages were exempt from UIPI, and gave an example of how a LI process can broadcast WM_CHAR messages which would be interpreted as input to any open MI/HI command prompts.

The attack was not devastating, because an attacker would have to wait for a user to open a command prompt as MI or HI and then take over, which is a pretty weak attack. However, a few weeks ago I noticed a Microsoft blogger claiming that this exact scenario was impossible.

Unable to resist correcting him, I posted a comment on his blog and tweeted about it.

A few weeks later, Microsoft fixed it in MS13-005. This surprised me, because I didn't know a really good attack to abuse it, and Microsoft previously told me they were not interested. I figured Microsoft must have discussed it internally, and had realised a better way to exploit it.

A few days later I realised what the attack was.

LI processes can still trigger Global Hotkeys with keybd_event, so if I enumerate all the hotkeys registered in a default installation, maybe one of these will offer the solution. I put a kd breakpoint on NtUserRegisterHotkey and enumerated them all.

I think I figured it out, here is the attack I think Microsoft realised before I did:

  • From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
  • Use keybd_event to send Win+Shift+[1 ... 9]
  • Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
  • Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
  • Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.
Apparently Packetstorm are offering a reward for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.

7 comments:

Edward Cross said...

I think your post is very interesting and mostly, I keep looking for like this type of websites where I learn or get new concept. I am happy to visit on your site. Thanks to share it. I was more than happy to find this web site. I need to thank you for your moment due to this unbelievable read!! I definitely savored every bit of it and I have you book-marked to see new things in your web site. custom essay writing service

Richard Majece said...

If you are connected with new technologies, I can learn you how to listen critics and write it in modern way. I think that this useful source will be useful for you.

Alex Gaming said...

You don't have to put the years on your writings. You can easily find a good kindness narrative essay example. Just follow this link.

marshal singh said...

Super generate that is a like for more exticeted wsop free chips game to this play for the online.

Julie T. Kirwan said...

download asphalt extreme mod apk jurassic survival mod apk android dragon mania legends mods

nilla said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

Selenium with python Training in Electronic City

Sports education worldwide said...

appvn apk
tutuapp apk ios