Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shattering Windows

Posted by timothy on from the fundamentalism dept.

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

40 of 772 comments (clear)

  1. Ummm... 'Kay by handorf · · Score: 4, Insightful

    So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.

    If you can get the user to run arbitrary code, they're already dead.

    Not to say that windows is secure, but this seems to be picking nits to me.

    --
    -- IANAEG - I am not an elder god.
    1. Re:Ummm... 'Kay by handorf · · Score: 3, Insightful

      Right... a non-priveleged user has access to a window running a more-priveleged account.

      But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.

      If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.

      Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.

      Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.

      --
      -- IANAEG - I am not an elder god.
    2. Re:Ummm... 'Kay by MisterBlister · · Score: 3, Insightful
      Yeah but in any case, software companies could work around this without breaking the Win32 API just by seperating out the parts of the code that need special privledges from the user interface code and use a secure message passing system (not based on standard windows message passing) between the two.

      Of course, the fact that apps aren't doing this goes to show that at the very least Microsoft has some education to do when it comes to developing secure 3rd party apps, but its not nearly as earth-shatteringly broken with no hope of being fixed as the paper author lets on.

    3. Re:Ummm... 'Kay by dannannan · · Score: 3, Insightful

      The real point is that the only apps that are insecure are the ones at the same privilege level as the user, or poorly written services that the administrator never should have installed.

      This is because you can copy arbitrary data into another process but only if it's got a thread on your desktop.

      Which applications would those be?

      • The vast majority of them will be ones running as you. So you can subvert a process running as you. Big deal.
      • The unlucky among us may have installed a hack job service, granting it LocalSystem access at the time they installed it. This service explicitly configured itself to be able to interact with the interactive desktop. !!!Big news!!! Hack job service compromises system!!!

      A closer look at the "Overview" section of the white paper reveals that it opens with "In this example, I will be exploiting Network Associates VirusScan v4.5.1...", so this whole article looks like the case of the unwisely configured service.

      This is all very simple, and it's been this way for years: if it runs as LocalSystem, uncheck the "Allow service to interact with desktop" box. Then there's no risk. You can't copy arbitrary data into the process, and you can't send it WM_TIMER messages. If you install a service app and it turns that option on, maybe you should look for a vendor with a higher quality product. And just to be on the safe side, set NoInteractiveServices to 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Windows.

      (By the way, you're right that the bit about WM_TIMER in the white paper isn't even correct. The app that receives it has the opportunity to drop the message without dispatching the callback function, contrary to the white paper, whose author didn't even bother to investigate that claim before blurting it out.)

      D

  2. This is not new by Anonymous Coward · · Score: 1, Insightful

    This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do
    have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake.

  3. Re:Take control? by Moridineas · · Score: 4, Insightful

    Why on earth is it crashing? Check your event logs. That should NOT be happening--sounds for sure like a hardware failure.

    Here's the output from the "systeminfo" command on my work computer fyi:

    Original Install Date: 3/15/2002, 11:24:37 AM
    System Up Time: 60 Days, 6 Hours, 36 Minutes, 21 Seconds

  4. Don't Do That by cperciva · · Score: 3, Insightful

    This "vulnerability" only effects poorly-written applications, running with system priviledges, which create windows in user-space.

    You're not supposed to do that.

    If you want to have a service which is user-configurable, create two separate programs (one service & one gui) and communicate via a named pipe.

    This isn't a flaw in the win32 API. This is a flaw in some applications which run under windows.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Don't Do That by Rick+the+Red · · Score: 4, Insightful
      Exactly! You could write a similarly flawed Linux application that someone could exploit to gain root access.

      Some Windows apps are not secure. News at /.

      --
      If all this should have a reason, we would be the last to know.
    2. Re:Don't Do That by cpeterso · · Score: 4, Insightful


      sprintf() is defined in C89. Good luck getting rid of it.
      Why not? GNU prides itself in being "not Unix" and has been known to write code with identifiers like POSIX_ME_HARDER. Why can't glibc help make the world a better place by dropping dangerous functions, such as gets(), sprintf(), strcpy(), strcat(), etc. Safer alternatives to these functions exist and their use should be forcefully encouraged.

      If glibc does not want to break source compatibility so drastically, they could move the dangerous functions to a new header such as "bufferoverflow.h". Or require the user program to #define GNU_BUFFER_OVERFLOWS_PLEASE before including stdio.h.

      Sure this makes porting to GNU slightly more difficult, but I think GNU can pull this off because they have enough clout with developers and no profit motive to worry about!

      --
      cpeterso
    3. Re:Don't Do That by mojumbo · · Score: 2, Insightful
      --- From the Paper ---
      The simple fact is that Microsoft KNOW that they cannot fix these flaws. The mechanism used is the Win32 API, which has been fairly static since Windows NT 3.5 was released in July 1993. Microsoft cannot change it. The only way they could stop these attacks is to prevent applications from running on the desktop with privileges higher than those of the user logged on. Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted. This is true, but only for Windows, and because of these flaws. Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.
      ------ (emphasis mine)

      When ms quits writing desktop apps that are vulnerable, I guess everyone else will follow suit?

    4. Re:Don't Do That by pclminion · · Score: 5, Insightful
      Why can't glibc help make the world a better place by dropping dangerous functions, such as gets()

      Because that's ANSI/POSIX standard.

      sprintf()

      Because that's ANSI/ISO/C99 standard.

      strcpy()

      Because that's POSIX/ISO standard.

      strcat()

      Because that's POSIX/ISO standard.

      Are you done ripping on GNU now?

  5. Re:Is this really a security risk? by topham · · Score: 5, Insightful

    A user opens a damn attachment, which you've told them not to do a hundred times, but one of them does it anyway...

    No problem right, the attachment runs as that user and the damage is restricted? Only it isn't, because the attachment escalates itself to localsystem privledge and now starts really screwing around.

    With any luck it drops itself on the network somewhere and some other soul mistakenly runs it and it gets domain privledges...

  6. Re:Fixability by erasmus_ · · Score: 4, Insightful

    Finally, a constructive response to the problem. However, since you still don't have the capability of seeing what the source of the message is, I don't see how you can drop all of those messages with 100% certainty. Those API calls are there and are used legitimately as well, for better or for worse. So although your way coulf fix things, I wouldn't be surprised to see it breaking some applications along with it.

    --
    Please subscribe to see the more insightful version of th
  7. Re:Devil's Advocate... by Algorithm+wrangler · · Score: 2, Insightful

    But as long as M$ allows E-Mail clients and even Media Players to execute random code at will, the "local user" is a matter of definition.

    --
    -._''_.-
  8. Re:Take control? by Anonymous Coward · · Score: 1, Insightful
    Wow! If it works for your system then anyone else who it doesn't work for must be a liar!

    Jerk. (it crashes for me too)

  9. It's not even this hard by leshert · · Score: 3, Insightful

    If you have physical access to the box, there are n ways to get your code executed in a Windows app. WM_TIMER (the callback version) is one, as are window hooking, CBT hooks (computer-based-training, although I've never seen it used for this purpose) forcible DLL loading (if you have access to the Registry), debug process attachment, CreateRemoteThread, thunking well-known DLLs (which is why Red Alert 1 won't play on Win2K without a patch--they can't thunk kernel32), etc., etc., etc.

    Windows programmers have been using these methods for non-evil reasons for many years--the "3D look" of MS Office apps before Windows 95 was done this way.

    The insecurity of the desktop model for Windows shouldn't surprise anyone. It wasn't designed to be secure OR multi-user, and patching after the fact doesn't make it so. It's comparable to complaining that telnet and ftp send passwords in clear text. Well, no kidding, they weren't designed to be secure, so they're not.

    And like the case of telnet, making a secure but still 100% backwards compatible solution is pretty much impossible, as the article states.

  10. Yes, but who's fault is it? Not MS'! by Otis_INF · · Score: 4, Insightful

    When I put a service on Win2k, running under 'System' and that service listens to a port and executes all the crap that is posted to that port, is it MS' fault? No. It's the fault of the developer of the service.

    Now, under win32, the application you start, runs under the user you log in with. The virusscanner window in the example, SHOULD run under the user that is logged in, but instead, it's a GUI created from the service, running under 'System'.

    Bad programming. Not from Microsoft, but from the Virusscanner developer. They should have created, AS stated by MS, a GUI less service (the virusscanner engine) and a GUI application which talks to that service via a named pipe or any other process communication mechanism. That GUI should then be started by the logged in user (since that user sees the gui and works with it), so there wouldn't have been ANY flaw like this, since the GUI isn't ran under 'System', but under the user who's logged in, in the example the 'guest' account.

    It sounds serious, it's absolutely nothing.

    Oh, and it takes a local user to exploit it. Get a huge hammer and give it to the local user. Ask that user to smash the computer. There ya go, a DoD attack which isn't fixable, you can get that attack-script at any hardwarestore.

    --
    Never underestimate the relief of true separation of Religion and State.
    1. Re:Yes, but who's fault is it? Not MS'! by Jerry · · Score: 2, Insightful
      it sounds serious, it's absolutely nothing.

      Which is exactly why MS boxes get hammered over and over and over, or they act as platforms for DoS attacks over and over and over.

      It's not the drunk's fault, someone keeps putting curves in the road.

      --

      Running with Linux for over 20 years!

  11. Re:Is this really a security risk? by irix · · Score: 3, Insightful

    I've got news for you: local priviledge escalation exploits are still exploits.

    Sure, it isn't as serious as a remote exploit. However, if you take the stance that once a user logs on to your system then you are 0wned, you don't have a real multi-user O/S. What is the point of having multiple user accounts with priviledge separation if you don't fix local exploits? Would you give every user on a system you admin root (Adminstrator) privs?

    The fact that Microsoft is dismissing a local priviledge escalation as "not a problem" just tells me they still don't understand how to make a real multi-user enterprise O/S.

    --

    Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
  12. Re:Fixability by Wrexen · · Score: 3, Insightful

    The basic idea would be to install a WM_GETMESSAGE hook. Contrary to what the writer believes, all messages must go through the queue. No two ways about it. At the hook level, we just examine the message and look for suspicious activity. Simplistically, all that really needs to happen is to look for EM_SETLIMIT and cap the WPARAM at some small value. It might also be good to remove callback addresses from WM_TIMER, or add verification (is the destination address part of the loaded executable space?). Most applications won't use the callback feature of WM_TIMER anyway.

  13. Re:Take control? by MORTAR_COMBAT! · · Score: 5, Insightful

    completely agree. nearly ever XP and 2K blue screen i had was due to:

    1) faulty hardware, e.g., bad memory chip
    2) incredibly bad driver (which admittedly shouldn't crash the OS... but that's another discussion)
    3) incredibly, incredibly bad software (which again shouldn't crash the OS... but that's yet another discussion)

    --
    MORTAR COMBAT!
  14. Re:Is this really a security risk? by dzym · · Score: 2, Insightful
    For that specific instance, you disable floppy access to the computer.

    Remove floppy drive, disable floppy drive in BIOS and then password it, or simply configure the ACL to not allow floppy or CD access for anyone who is not an administrator.

  15. Re:Executing untrusted code by fanatic · · Score: 3, Insightful

    then Dotnet will be in place and the party will be well and truly over.

    yes and no. MS will (probably) eventually bring down the number of security bugs (though with their insistence on features,features,features and their gratuitous changes to APIs and protocols used to foil competition, it will never be 0 or even real low), but the real problem with Microsoft is not the stuff they do accidentally, it's the stuff they do with full knowledge and intention.

    For example, if your files are in some proprietary format and you lose the right to run the software that reads that format, who owns your data? Before you scoff, remember that MS was one of the drafters and promotors of UCITA, which would/will permit software manufacturers to turn off software that they believe is not licensed correctly. (aka "electronic self help" - there are numerous ways to accomplish this even if you're behind a firewall.)

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  16. Nice try by The+Bungi · · Score: 3, Insightful
    This is very interesting reading (not). This dude is a 30-something loser wannabe hacker that throws away all measure of the respect he was trying to obtain by peppering his "paper" with 1337 speallingz like "0wn" and "sploit" to feel more in the know.

    His "technique" is kidde fare, nothing any experienced Windows developer doesn't know. His whole premise is based on the idea that "running as SYSTEM" is bad - SYSTEM is designed to be used to run non-interactive services such as SMTP or MSMQ. Installing a service requires administrative rights, as does telling the SCM (Service Control Manager) to allow a given service to interact with the desktop. Microsoft's response is the one I expected to see given how long this "vulnerability" has been known. If you must run a service that interacts with the desktop, run it under a local account which can be locked down and prevented from doing specific things. If anything, this is more the AV vendor's stupid mistake than anything else.

    There are tons of actual, real vulnerabilities and problems in Windows (outside of IIS), and most of them reside in the shell code. But those are significantly more difficult to get at than this.

    So Mr. "Foon" has proved himself a real bofoon, showed us he sorta kinda understands the process messaging architecture and he knows how to use a debugger and, h^xx0r him, netcat. Woopdedoo!

    Not to criticize the editor's "integrity" of course. Who would even consider posting this article for half a million people to see before checking the facts.

    Hey, I know! I'll get a website, a kewl IRC handle like "boon", post some techie-sounding text related to some vague problem with Windows and then call it a paper.

    1. Paper
    2. ???
    3. Recognition! Fame! Fortune! Girls! Coverage! Beer! Girls!
  17. Re:Virus in his code by silentbozo · · Score: 3, Insightful

    In his notes he mentions "Yes, I know that I should have written my own shellcode."

    I'd take that to mean he's "borrowed" a portion of the W32.Beavuh exploit to show that remote shell priveliges can be granted using his window messaging exploit. Of course, since this looks like it's live, I wouldn't recommend running it on a production machine hooked up to anything...

  18. Re:Virus in his code by kawika · · Score: 5, Insightful

    Duh! The exploit is *intended* to be malicious code that causes a buffer overrun in an application and could be used to break into a system. That's the point!

    Hint to moderators: Try "Funny" next time.

  19. This is a flaw by ChaosDiscordSimple · · Score: 3, Insightful

    At lot of people are saying that this is an application level problem and not a flaw in Windows. That is wrong.

    The core result of the attack is that it is impossible for a high privilege program to display a GUI interface to a low privilege user. That is a silly limitation, certainly one that that other GUI systems like X Windows do not share. Sure, you can work around the weakness by having a low privilege GUI talk to a high privilege service over a local socket, but it shouldn't be necessary. This gross "fix" will complicate the situation, potentially opening additional security holes.

    Microsoft tried to deflect the issue by hiding behind, "If the user is local to the machine, or can run his own binaries, he owns your machine." It sounds nice in theory, but falls apart when the "user" in question is actually an opportunistic virus looking to add the machine to a distributed denial of service cluster. Many corporate environments lock down the machines not for fear of user attack, but to limit the damage of viruses and other malware. If the malware can exploit this technique to gain elevated privileges, your security steps are worthless.

    Ultimately, with a bit of care, a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise. If the operating system makes this impossible, the operation system has a flaw.

    1. Re:This is a flaw by kevquinn · · Score: 2, Insightful
      It is perfectly possible to write the VirusScan thing properly in Windows. Microsoft even tell you how to do so, if you read all the stuff they've written about writing services, desktop apps and the like. Which you could reasonably expect a security software vendor to have done.
      a high privilege program should be able to safely interact with a user through any means, be it command line, GUI, network, or otherwise
      I disagree. It is unreasonable to expect the operating system to protect you from all possible types of badly written application. A high privilege program should restrict all means of interaction to a strict set that it can control and verify. In the case of VirusScan, the service should not be opening windows. By all means write unprivileged command line, gui, network etc applications which can use the single strictly controlled interface that the service handles, but don't expect to write the service to cope with any kind of input channel and demand that the OS protect you.

      The simple (and obvious) way to write such software, is to write the privileged bit as a service (somewhat analogous to a daemon in Unix), and the GUI as a separate unprivileged user-land app. The service runs with whatever privileges are granted it, independent of the priviledge of the user logged in. The separate GUI application, running in the user space, communicates with the service by whatever method is convenient (defined strictly by the service). The service then checks all communications it receives for validity etc before processing any of it. This means that as long as the service checks its inputs properly, no malicious GUI app can force it to do things it shouldn't be doing.

      The point is, Windows NT does not make this impossible. It does make it possible to write crap software that compromises security, but hey that's the case with any operating system. It's quite possible to write a 'su' replacement that doesn't check passwords, for example - there's a command line app idea that the OS won't protect you against, and it'd be handful of lines of C code.

      It takes administrative rights to install the software; that's when it gets its privileges. In this case, it takes admin rights to install VirusScan, and that's when the security got compromised - the installation gave privileged rights to an application which opens windows on the user's desktop. I'm also not convinced that X isn't susceptible to the same issue; as far as I'm aware X uses a message queue to communicate between windows, the user etc - there's nothing in X to say you can't cause a buffer overflow in an application by sending it a malicious message, it's up to the application to check its inputs, and that includes its messages.

      One thing this does show, is that closed-source software can't be trusted in the same way that open source can. It's a lot harder to perform a useful security audit on your system if you don't have the source code to the privileged applications you want to install. How would you determine that VirusScan violates the design guidelines for secure services, short of cracking it (which presumably violates the DMCA of course)?

      Of interest, I wonder if the McAfee stuff has the same basic design flaw...

  20. Re:Executing untrusted code by dvdeug · · Score: 3, Insightful

    Dotnet (and Java) represent a quantum leap in the "securability" of a platform and one to which Linux has no answer

    Well, Java runs on Linux, and .Net is being implemented on Linux, so we can use the same answers. Also, User Mode Linux lets you run a full environment in a sandbox, with no modification to existing programs. That's better than anything Java or .Net offers.

  21. Re:Take control? by dangermouse · · Score: 2, Insightful
    Pray tell, how are points 2 and 3 separate discussions? Windows XP is an operating system, ostensibly. If it lets applications throw it to the ground whenever they feel like it, then it has a serious stability problem. "But it's the apps!" is a lousy defense, since running the apps is the whole point.

    This is not a commentary on XP's stability. I wouldn't know (and I have trouble believing 26 re boots in a day... that's insane). I just find your argument a little bit disingenuous.

  22. reply to this: by RelliK · · Score: 3, Insightful
    Either way, Microsoft break their own rules; there's numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this - there's a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.

    The author has addressed Microsoft's response in his writeup. Given that there are numerous windows running as LocalSystem on any desktop, Microsoft's response is a load of tripe.

    --
    ___
    If you think big enough, you'll never have to do it.
  23. This is the absolute stupidest thing Ive ever hear by gamorck · · Score: 4, Insightful

    Look... I'm in no hurry to defend Microsoft but being as I develop for their OS on a daily basis - its common knowledge (or should be) that anybody who runs a service under system privileges that presents a GUI to any old user - is a fucktard that simply needs to die. Yes this problem can be fixed by MS using the 2nd option indicated in the paper and yes it would mean these crappy designed apps written by third parties would have to be rewritten.

    Microsoft specifically reccommends that you do not run services and allow them to interact with the local desktop. Doing so is security suicide. Thats how VirusScan was running. Therefore its a McAfee issue since there are about a bazillion better ways to write this app.

    J

    --
    I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
  24. Why are people pretending this is not a problem? by tlambert · · Score: 3, Insightful

    Why are people pretending that this is not a problem with the design of Windows?

    It seems perfectly obvious to me that all you would have to do to fix this would be to associate applications credentials with messages as they are passed around, and not permit messages from a process with a lower priviledge to be sent to a process with a higher priviledge, unless a security association is established.

    This would mean changing the messaging API, but it's fixable. It would merely mean recompiling all third party code that needed t communicate across priviledge boundaries, and adding code to programs designed to operate at higher priviledges to accept the new message type, rather than dropping it on the floor (making that the default), and make a decision based on that.

    This is the standard "capabilities" security model, and is the same model that used for NT file permissions, in terms of a hierarchical inherited rights arrangement.

    There would be a significant impact on "remote control", some install tools, and other packages that are not written with the idea of priviledge domain seperation, but it's *possible* to fix.

    -- Terry

  25. Re:Evolving Concepts at Microsoft are Frightening by rseuhs · · Score: 4, Insightful
    Actually, the most important part of Microsoft-trustworthy computing is:

    "We don't trust you."

  26. Ummm NO by spacefrog · · Score: 4, Insightful

    How are you arriving at the conclusion that this dialog runs with system priviliges?

    IT DOESN'T

    The GUI comes from a DLL running inside the process space of MMC.EXE. It uses a fairly secure RPC/IPC mechanism to talk to Windows.

    A simple trip through spy++ will even tell you the owner process in about 5 seconds.

  27. Re:sprintf is the wrong analogy by J.+Random+Software · · Score: 2, Insightful

    Only a similar problem. Unless there's something dire about xlib that I've forgotten, POSIX systems don't tend to bundle user interface libraries that accept messages from any user, interpret a field as a function pointer in the server's address space, and immediately call that function whenever the app doesn't specifically overrides that behavior. That's somewhat exploitable even if you don't have a buffer overrun to take advantage of.

  28. I'll throw my hat in too I guess... by Mongoose · · Score: 3, Insightful

    Windows NT/2000/XP all have problems with applications running at 'System' or another level below 'Administrator' ( root ).

    For example:

    1. Setup a win2k box with a user, and make it so that this user can only run the app MS Word using your little GUI profile editor.

    No write access to drives, no shell, etc.

    2. Log in as that user.

    3. Now run MS Word and...

    Press Alt+F11
    Press F5
    Enter "wolf" as the procedure name
    Enter "Shell "cmd.exe", vb.normalfocusfoo"
    Press F5

    Now using commands like 'control userpasswords' you can fuck up your nice little system.

    Also using command.com ( 'NT DOS' ) with your macros you can get beyond kernel rescrictions, which is like the ntsd kernel debugger bug a while back that the patch didn't fix.

    Basicly you can still 'own' a network with your garden varity macro virus still.

    Hell, I consider it a feature -- you forget your admin password or want to install something by sending a 'macro agent' around the network.

    Also don't forget XML+IE+Outlook, DDE, and OLE holes. Btw I never report these exploits I find... I guess BugTraq hates me.

    --

    Yes, this is why you have to reimage windows so often besides dll hell...

  29. Shoddy work, mistake in the whitepaper! by dannannan · · Score: 3, Insightful

    This white paper makes several allegations, not the least among which is that there is no way for a user-mode app to mitigate the security risk it presents. This is untrue, however, and appears to be the result of a failure to investigate properly on the part of the author! User mode applications can be rewritten to guard themselves against malicious Win32 message-based attacks. That's because every user-mode app has full say in how every message is handled, contrary to the white paper.

    From the paper: "As far as I know, the message [WM_TIMER] doesn't even go into the message queue, so the application doesn't even have a chance to ignore it."

    The previous post follows the theme with: "It's like opening a socket for doing basic network communication and Windows API allowing certain pre-determined 'helper' messages to be handled by OS before your app has any say to handling."

    Dave at Microsoft did a thorough investigation with the developers who were familiar with the relevant code and replied to the author before he released his white paper (8/5/2002): "It is the implementer of a program that decides what messages to handle and how to handle them."

    The author could possibly have arrived at his erroneous conclusion by writing a test app and monitoring calls to a message handling routine when certain types of messages were sent to the app. Observing that a WM_TIMER message sent to the app was processed without the application-supplied message handler being invoked, one might conclude that it is therefore impossible for an application to guard against WM_TIMER-triggered attacks. This test is flawed.

    The standard message dispatching pattern you'll find in common Win32 programming books (e.g. "Teach Yourself Windows 95 Programming in 21 Days" by Charles Calvert) and even in sample code from Microsoft goes like so:

    1. Wait for a message to arrive in the queue (GetMessage)
    2. Optional logic to crack certain types of messages for easier handling later (e.g. TranslateMessage)
    3. Dispatch the message for handling by an application-specified handler routine (DispatchMessage).
    4. Repeat until a special message arrives that breaks the loop.

    No message is processed until the application calls DispatchMessage. DispatchMessage contains special-case logic which handles WM_TIMER and WM_SYSTIMER events *without* invoking the application-supplied message handler, which is why tests similar to the case I mentioned above don't show a call to the message handler for WM_TIMER messages. However, the message will only be processed if the app calls DispatchMessage.

    Applications can guard themselves by inserting a (possibly non-trivial) step 2.5 into the pattern above: security filtering of messages prior to dispatch.

    So, the basic Win32 thread messaging API calling patterns are flawed when used in situations where applications with different privilege levels coexist on the same desktop. Dave already pointed this out in his email response to the white paper author on 8/5/2002. Message filtering needs to be added to those specific applications in those cases if there is to be any measure of security.

    Also, the most privileged service applications (those that run as LocalSystem) can't create windows on the interactive desktop by default, which means that they aren't vulnerable unless someone checks a box that says that they should be! That feature must specifically be enabled (see the "Allow service to interact with desktop" checkbox in the Services UI). Services that run in security contexts other than LocalSystem don't even support the "interact with desktop" functionality.

    The conclusion of the whitepaper -- that there is no way to write a service to be secure -- was not proven. The author should have done a better job of investigating his claims before publishing this paper.

    This really boils down to a case of poorly written services exposing more "services" to users than they intended to. Several good posts on this /. topic echo that too. At least we've raised awareness.

    D

  30. Re:What a load of tripe. by dannannan · · Score: 2, Insightful

    Actually your WndProc will never be called in response to a WM_TIMER message. WM_TIMER messages are handled by a special case inside DispatchMessage, which is where the jump to the callback occurs. If you want to intercept WM_TIMER messages, you need to intercept them prior to calling DispatchMessage.

    D

  31. Re:WARNING Virus in article download!!!!!!! by Anonymous Coward · · Score: 1, Insightful

    I don't think it's a virus *per se*. It's just shellcode
    which your anti-virus software probably matches to the
    signature of a known virus.