Sunday, February 3, 2013


A few years ago while working on Windows sandboxing, I noticed a few relatively minor problems with Job Objects, Desktops and related facilities. I reported them to Microsoft, who said they don't consider these supported security boundaries and declined to fix them, but this was no big deal and I dropped the issue. The chrome security guys developed techniques to workaround some of these bugs in Chrome instead.

One of the problems I described was how broadcast messages were exempt from UIPI, and gave an example of how a LI process can broadcast WM_CHAR messages which would be interpreted as input to any open MI/HI command prompts.

The attack was not devastating, because an attacker would have to wait for a user to open a command prompt as MI or HI and then take over, which is a pretty weak attack. However, a few weeks ago I noticed a Microsoft blogger claiming that this exact scenario was impossible.

Unable to resist correcting him, I posted a comment on his blog and tweeted about it.

A few weeks later, Microsoft fixed it in MS13-005. This surprised me, because I didn't know a really good attack to abuse it, and Microsoft previously told me they were not interested. I figured Microsoft must have discussed it internally, and had realised a better way to exploit it.

A few days later I realised what the attack was.

LI processes can still trigger Global Hotkeys with keybd_event, so if I enumerate all the hotkeys registered in a default installation, maybe one of these will offer the solution. I put a kd breakpoint on NtUserRegisterHotkey and enumerated them all.

I think I figured it out, here is the attack I think Microsoft realised before I did:

  • From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
  • Use keybd_event to send Win+Shift+[1 ... 9]
  • Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
  • Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
  • Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.
Apparently Packetstorm are offering a reward for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.


jamelhenry said...

The actual stainless protection men formulated processes to workaround many of these parasites in Stainless instead.

Sample Comment

James Lackey said...

This article has given me a lot of insights, thanks for making this in reality simple to take in, keep a good work! very effectively written information.OOH Advertisement ERP can deal with the entire outdoor media publicizing like a wind. It handles all the operational phases of Media Owner, Media Buyer and can be modified for/at any level. Their cautious comprehension of the outdoor business has brought about growing a leader arrangement set to be executed as of the main day.