Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shattering Windows

Posted by timothy on from the fundamentalism dept.

ChrisPaget writes: "I've just released a paper documenting and exploiting fundamental flaws in the Win32 API. Essentially, they allow you to take control of any window on your desktop, regardless of whether that window is running as you, localsystem, or anywhere in between. The technique has been discussed before, but AFAIK this is the first working exploit. Oh, did I mention it's unfixable?" You may want to read this CNET interview with Microsoft security head Scott Charney to learn even more about "trustworthy computing."

7 of 772 comments (clear)

  1. Fixability by Wrexen · · Score: 4, Interesting

    What's to prevent an administrator from installing a Message Hook that eats all EN_* or WM_TIMER messages sent between processes? Since your DLL would be living in each process space, you could detect inter-process message sending and block the attack from ever leaving the Shatter process. I don't see any reason why this shouldn't work

  2. Have local access? Try Locksmith. by Futurepower(R) · · Score: 4, Interesting


    The method in the article seems like a lot of trouble.

    This software provides you a new administrator password: Locksmith.

  3. How do you rescind acceptance of the EULA? by burgburgburg · · Score: 4, Interesting
    When the Windows Media Player patch came out, I installed it on a box that I sometimes use. It was only later that I found out about the DRM component of the EULA. I immediately removed WMP. But does that legally rescind my agreement?

    I'm asking a legal question: does removal of the software constitute rescinding your agreement? Or if Microsoft has somewhere noted your initial agreement, is it in perpetuity? Does Microsoft permanently own that box?

    1. Re:How do you rescind acceptance of the EULA? by DavidBrown · · Score: 4, Interesting

      Well, if you violate the EULA, you are in breach of contract. If you remove the software, you will be limiting your damages to the damage you caused prior to the removal. But the real question is this: Is Microsoft going to sue you? No, unless there are damages.

      Is Microsoft damaged if you use their products to steal music? No, unless Microsoft gets sued by RIAA for providing software that facilitates your violation of copyright and then loses, after which they'll come after you in an action for indemnity. Until then, Microsoft isn't going to get anything from you in a courtroom because you haven't caused them any damage at all - and that means until RIAA and the MPAA sue Microsoft, you don't have anything to worry about.

      --
      144l. ph34r my 133t l3g4l 5k1lz!
  4. Re:Don't Do That by bwt · · Score: 4, Interesting

    sprintf() can't be removed without breaking literally thousands of stupidly-written apps which depend upon it.

    Isn't this precisely the set of programs that need to be broken, so they don't allow root?

  5. Re:Yes, but who's fault is it? Not MS'! by jasen666 · · Score: 4, Interesting

    Log onto your w2k box as "guest". Open the "computer management" window. Go down to users and attempt to add a new one. The dialog opens up. Yes, even guests can at least open the dialog. This dialog runs as system. I can use this exploit now. Thank you.

  6. Re:Don't Do That by ChrisPaget · · Score: 5, Interesting

    Actually, probably not - I researched this when writing Shatter. When you hit CTRL+ALT+DEL you actually switch desktops from the "Default" desktop to the "Winlogon" desktop. A program on one cannot interact with a program on another. There are functions to "open" a desktop and interact with it - however the Winlogon desktop is tightly restricted, and any attempts to open it are met with an Access Denied error.

    Either way, there's numerous windows (normally hidden) on a standard desktop that run as localsystem - it's possible to exploit some of them using the same techniques.