[Am-info] Microsoft Windows Window Message Subsystem Design Error Vulnerability

Fred A. Miller fm@cupserv.org
Tue, 13 Aug 2002 13:34:03 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Windows Window Message Subsystem Design Error Vulnerability
BugTraq ID: 5408
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5408
Summary:

A serious design error in the Win32 API has been reported.  The issue is
related to the inter-window message passing system.

In the Win32 model, all windows on the desktop are considered peers.  As
such, windows may pass messages to each other without respect to the
access level of the controlling processes.

This is a fundamental design flaw, as certain messages may adversely
affect the operation of the receiving process.  Win32 messages are=20
fairly powerful.  For example, messages may manipulate the properties=20
of window components (such as the length limit of a text input field). =20
Altering these properties may create exploitable conditions. The=20
obvious example is exposing a buffer overflow condition by changing the=20
length limit of an input field.

Furthermore, the message 'WM_TIMER' can be used to execute arbitrary=20
code if instructions can be placed in executable memory of the victim=20
process. The 'WM_TIMER' message can include the address of a callback=20
function in process memory.  If the address parameter is set to the=20
location of instructions placed in memory of the target process=20
(through an input field or some other method), the code will be=20
executed by the target process.  The message 'EM_GETLINE' may also be=20
used to write the instructions to any location in process memory.

This flaw is wide-ranging, likely affecting almost every Win32
window-based application.  Attackers with local access may exploit this
vulnerability to elevate privileges if a window belonging to another
process with higher privileges is present.  One example of such a=20
process is antivirus software, which often must run with LocalSystem=20
privileges.

- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro, KMail 3.0.1---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1ZQwsACgkQB9vk4ichYXeANQCgxmokUsomM+R55k2qecsDiyNj
W34AnRWmu5HfyE/UuuCKLVT+YMf6E9BK
=3DzV03
-----END PGP SIGNATURE-----