One of the problems I described was how broadcast messages were exempt from UIPI, and gave an example of how a LI process can broadcast WM_CHAR messages which would be interpreted as input to any open MI/HI command prompts.
The attack was not devastating, because an attacker would have to wait for a user to open a command prompt as MI or HI and then take over, which is a pretty weak attack. However, a few weeks ago I noticed a Microsoft blogger claiming that this exact scenario was impossible.
Unable to resist correcting him, I posted a comment on his blog and tweeted about it.
A few weeks later, Microsoft fixed it in MS13-005. This surprised me, because I didn't know a really good attack to abuse it, and Microsoft previously told me they were not interested. I figured Microsoft must have discussed it internally, and had realised a better way to exploit it.
A few days later I realised what the attack was.
LI processes can still trigger Global Hotkeys with keybd_event, so if I enumerate all the hotkeys registered in a default installation, maybe one of these will offer the solution. I put a kd breakpoint on NtUserRegisterHotkey and enumerated them all.
I think I figured it out, here is the attack I think Microsoft realised before I did:
- From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
- Use keybd_event to send Win+Shift+[1 ... 9]
- Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
- Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
- Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.
Apparently Packetstorm are offering a reward for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.
Update: 0vercl0k has produced a neat demo. https://twitter.com/0vercl0k/status/298921576437518337