MS Message Security Flaw Explained

Geoff Shively writes "Canadian security researcher Oliver Lavery published a fantastic paper on Win32 Message Vulnerabilities. The paper touches on a the Shatter problem that received much attention almost 1 year ago regarding the fundamental flaws in the Win32 API. Oliver's research demonstrates that the Shatter vulnerability is still very much in existence and quite a threat. Vendors need to wake up and work towards fixing this problem in their applications."

Venders problem?

[Trevelyan]

Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

Reminds me of a CS class I once had, the lecture (admittedly a unix advocate) was explaining a problem with software deadlines. ie release now (for market reasons) and fix problem later:
-MS build next version of Windows and Office at same time, so that they can release together.
-Office is tested on beta versions of windows, which obviously has bugs, the Office peeps work around the bugs.
-mean while the windows peeps fix the bugs
-near release office found not to work right because it is trying to work around bugs which aren't there. (Why they let an Office app play voodoo with the OS is up to you to decide)
-need to release on time, so put bugs back in windows problem sorted.

It will be difficult for MS to fix the message system w/o breaking old apps.

Re:Venders problem?

[jpu8086]

why are you spreading FUD, when you yourself admit the prof. was a unix zealot.

now, how in the *hell* is he a credible source of what microsoft does -- when he doesn't even care about them?

he is spreading FUD, and so are you. if you had read the report, (which i bet you didn't because your post has nothing relating to article) it has a link to slashdot for "operating system zealotry." now, this a prime example of that.

please, stop bashing microsoft without substantial proof. and if you have that, don't ingore the flaws of others who do the same (ie, just about everyone else in the commerical shrink-wrap software business).

Re:Venders problem?

[pldms]

Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

I agree absolutely. Letting any app call any function as described in the paper isn't a smart idea (I assume it predates multiple users in windows, but still...).

However Microsoft's advice is sound. Having setuid apps is always hairy - anyone remember Apple's moment of shame? There's a little bit of guilt on the vendor side, too.

Re:Venders problem?

It's not an OS "problem" -- it's a design issue. The "desktop" is designed to be a security boundary within which programs can send each other I/O. If you insist on running a privileged program within the desktop, you deserve what's coming.

The original author even indicated that Unix/X11 probably suffers from the same issue, except there's no exploit code yet. Anyway, it's like running "pine" as root, and then blaming Unix when the user shells out somehow.

Bottomline is that there's absolutely no reason that vendor control panels need to run as SYSTEM just to send messages to whatever service it controls. None of MS's stuff works that way.

Re:Venders problem?

[David+Leppik]

It's not an OS "problem" -- it's a design issue. The "desktop" is designed to be a security boundary within which programs can send each other I/O. If you insist on running a privileged program within the desktop, you deserve what's coming.

The original author even indicated that Unix/X11 probably suffers from the same issue, except there's no exploit code yet. Anyway, it's like running "pine" as root, and then blaming Unix when the user shells out somehow.

This is a well-known and very old problem with the design of X. I heard about it in college, back in the early '90s. If you were to design a windowing system these days, you might be smart enough not to use function pointer addresses in shared memory for interprocess communications. But back when X (and windows) were first desgined, they had neither CPU cycles nor the memory to do it right. Arguably X had less excuse for poor security, since it was designed as a multi-user system for running GUIs across the Internet.

Re:Venders problem?

[ahto]

This reminds me of the (now rather old) Fuzz papers.

Shatter

[shadowbearer]

Y'know, I've had the shatter attack paper on my bulletin board since the original slashdot article, and I've seen few references to it since.

Anyone know if this has been successfully used in the "wild"? Is Microsoft even taking this seriously?

Enquiring mind wants to know.

SB

Re:Shatter

Most people don't take this seriously because it involves running an interactive program as LocalSystem, which is a documented no-no.

Flawed from the beginning

[norwoodites]

Looks like the event model for Win32 was flawed from the beginning and should have changed long ago. Looking at the Mac event model (Carbon Events and even the WaitNextEvent/GetNextEvent), there is no passing of functions to the event handler at all so why did M$ design it that way back in 1993 I do not know.

Re:Flawed from the beginning

[ClosedSource]

Obviously to be backward-compatible with legacy apps that go back a lot further than 1993. Even in 1993 most PC's were not connected to the Internet, so the risk was pretty remote at that time. It's still fairly remote even now.

Re:Flawed from the beginning

[Webmonger]

AFAICT, the model could be "fixed" by preventing applications from sending events to unrelated applications. (You'd need to permit threads and processes to send events to the thrreads and processes that spawned them, I guess.) Of course, this only works if events aren't supposed used for general IPC.

Re:Flawed from the beginning

Old versions of MS Office and the like used messages to do IPC. In fact, that sort of "integration" was the whole reason people started using Windows in the first place.

Re:Flawed from the beginning

[ratfynk]

The reason why MS event handling is the way it is, is simple, the Win32 API uses common dlls so that programmers do not have to re-write functions. The problem lies when malloc gets mis-appropriated and function calls leave buffer overflows. This often happens because the programmer is essentially writing blind and trusting that their code will not conflict with a call to system dll. You are expected to code for Windows essentially blind as to how proprietary functions allocate.

The strength of open source is that if you do have a buffer problem you can find where it is happening, with MS you have to call home to Mama. So programmers just leave buffer overflows in their source, because to fix them they would need tech support from Microsoft. To fix them would be too time consuming.

Here we go again

[The+Bungi]

Here's my response to that "article".

Leave it to Slashdot to try and wring every last drop of blood from anything that even remotely smells like a "vulnerability", right up there with JavaScript that changes my wallpaper at the behest of evil Romanian hackers - I've always wondered why all those Unix/Linux exploits I see in Bugtraq and SecurityFocus and RedHat advisories don't get so much publicity.

Re:Here we go again

[UnknowingFool]

Er, um. Did you RTFA? The author noted that the vulnerability existed but was not as serious as originally described. The author also noted that in some fault lies with the developer for not following MS guidelines for security. The article did point out that some serious vulnerabilities that *could* exist with similar Win32 API calls and demonstrated how these would work. Overall, the tone of the article was informative not zealot.

Re:Here we go again

[njan]

Pity I ran out of mod points yesterday evening. :(.. mod parent, anyone..

Interestingly, the .NET framework...

[Homology]

is not mentioned in the article. This new framework is claimed by MS to be much more secure, but we still have to live for a long time with "old" WIN32 applications.

How will "old" style WIN32 message passing be affected by .NET managed code respective to this security hole?

question?

[dh003i]

Why are we doing MS' work for them? Pointing out these flaws only helps MS to fix them.

If anything, we should be pointing out flaws in FS/OSS software so that we can make that better.

Re:question?

[clambake]

Pointing out these flaws only helps MS to fix them.

Microsoft? ... fix? ... vulnerabilities? I understand the individual words, but somehow they don't seem to make a comprehensible sentence.

I'm glad to see other discussion of this.

[Futurepower(R)]

I had a section on the shatter attack and the messaging vulnerabilities in my paper, Windows XP Shows the Direction Microsoft is Going, but I got so much hostile feedback on message boards from people who said it did not exist, or it was not the fault of Windows, that I took the section out.

The shatter attack is a local attack only, that allows a logged-on user to elevate to administrator. Microsoft has recently (July 9, 2003) documented one messaging exploit: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679). But what does Microsoft know, right?

Apparently only two or three exploits of Windows messaging have been published. However, it seems reasonable that there are others.

The whole question gets some people very upset. They say that it is the fault of whoever wrote a vulnerable application. But look at what's in Windows memory at any one time. There is a huge amount of stuff written by numerous people. It seems to me that it doesn't matter to the user how the vulnerability got there, a vulnerability is a vulnerability. If you use Windows, you are trusting numerous programmers to know how to pass messages because there is no authentication system.

Consider this post by Uller-RM. He says, "... he [the attacker] adjusts the size of a textbox using an outside program to 4GB. (Windows unfortunately allows this, since the message format doesn't include a "sender" field to check against the owner handle.)".

Yes, it is unfortunate. And fixing it requires a rewrite of Windows that breaks all present applications. Am I wrong about any of this?

I'm not saying I understand everything about this, but I don't have time to investigate it further. I have to go back to writing a letter to a customer.

Re:I'm glad to see other discussion of this.

An authentication system is entirely the wrong approach. That's like requiring authentication among all the SMTP servers in use on the Internet. Free communication is the point, not the problem.

Every application within a user's space has always been fully accessible to everything else in that space. This concept exists nearly everywhere in the common computing world. Think about it: what does a debugger do? Where can you use it?

The only security issue here is when application designers don't think about privilege spaces. For old-hat Windows people working on desktop applications, this is a new concept compared to the 9x days. Most of them aren't trained to think in terms of privileges anyway.

As a vulnerability, this problem quite simply DOES NOT EXIST when application designers follow the security boundaries properly. This is not something Microsoft should address in the Windows API.

Re:I'm glad to see other discussion of this.

...however, as a followup, there is something Microsoft could set up that would have minimal impact on existing, properly designed applications.

Message space filtering. By default, configure messages such as edit box length settings to be private to the application, and filter them when sourced from external threads.

Re:I'm glad to see other discussion of this.

[vadim_t]

And some proper limits should be enforced too.

IMHO, a GUI should only give a program a window. Why should a program be able to mess with other programs that are running, or to read my screen? It should have its window, and that's it. For example, if Windows required you to confirm that you allow a program to read your screen or get a process list, then things like BackOrifice would become considerably more difficult.

Re:I'm glad to see other discussion of this.

You are correct in so far as there is no access checking within a desktop so a privileged process attached to the desktop of a less privileged user can be sent arbitary messages. But fixing the problem only requires that privileged processes run as services on a private desktop and any control program communicates with them using some other IPC mechanism like named pipes.

Re:I'm glad to see other discussion of this.

Actually you can run programs without the permissions to read the screen or get a process list but it would be very inconvenient to do so by default and if a user is going to run an executable they get via email in a special, less privileged mode why bother running it at all?

You don't understand.

[Mensa+Babe]

Why are we doing MS' work for them? Pointing out these flaws only helps MS to fix them.

You don't understand. Here on Slashdot we all understand those issues and we all know that we shouldn't use any software written by Microsoft. But that's not the point. Unfortunately Slashdot is not the whole world. There are people who use this software and they would have no idea about those flaws if we didn't talk about them. We cannot ignore people just because they are uneducated or incompetent, because they are the majority of our society. Do you think Microsoft would tell those poor people that there are flaws in their software if we didn't find and try to exploit them? I don't really think so.

If anything, we should be pointing out flaws in FS/OSS software so that we can make that better.

O course we do. Free software has just much less flaws than the proprietary counterpart and that is why you can see much more Slashdot articles about fatal flaws in Microsoft Office than any flaws in TeX. The same is true with ISS and thttpd, et cetera.

Prevention

[hackwrench]

How hard and how crippling would it be to disallow non-privileged apps from sending to priviliged apps. That shoud fix the problem. And if for some reason two apps accross the boundary need to talk to each other, it could be designed to let the administrator link their message queues.

Re:Prevention

[statusbar]

But... Does the mouse pointer and keyboard qualify as a 'priviledged app' ? If no, then the privileged apps would not be able to get interactions via mouse and keyboard. If yes, then we still have all sorts of problems.

Maybe the real issue is that 'privileged apps' should not have a gui! Take a look at how Mac-OS X handles the same concepts. The gui can not run as root, it can only execute another specific program as root if the appropriate authentication is passed.

--jeff++

One possibility...

[Futurepower(R)]

One problem is that an old application would not be prepared to deal sensibly with the denial of access. Maybe Windows could put a message on the screen.

or perhaps...

[dh003i]

it's that we want to see the flaws in MS because we dislike their software for practical and ethical reasons.

However, pointing out flaws in MS software only helps MS. Very few people will change from MS to anything else, no matter how many flaws there are on it. It came with their computer, and they are of course too stupid (or so they think) to do anything else without borking their computer. So, by act of god, they're stuck with MS.

And, of course, MS can take any criticism of its software and use that to better its software. When confronting an opponent, you don't tell him of all the weaknesses you see, do you?

Re:or perhaps...

Who is "we"? The authors of the paper are obviously low-level Win32 programmers and it's doubtful they would include themselves in your high-school M$ H8T0RZ clubhouse with your two imaginary friends.

What do you think?

[Futurepower(R)]

This seems very sensible. I was thinking in broader, and maybe not completely technically accurate, terms. I was thinking of message space filtering as a kind of automatic authentication. This would not break existing applications.

It has been claimed that it is possible to use the shatter attack against a clean install of Windows XP. It has been claimed that system processes are vulnerable to this attack. What do you think?

Re:What do you think?

If so Microsoft would have been ignoring their own security advice.

Re:What do you think?

IIRC a couple of updates have been released for Windows XP to correct the system processes that were vulnerable. I don't have the details, but I seem to remember those appearing shortly after the initial Shatter paper.

NT does have a very nice security model for nearly all kernel objects, and it extends to things like process handles (IDs, interfaces). I don't believe it currently extends to the messaging framework, but it probably could be without too much difficulty. That would allow processes to easily control which other processes can access them. Some problems appear here with the system-wide messages though -- things like power management notifications can actually be sourced from other processes.

One major point the Shatter paper brought up was in regard to the WM_TIMER message handling. In the default configuration, it was intercepted by the Win32 user layer (outside the application's control) and handled (badly). It's difficult for applications to do their own filtering at this level.

It seems I keep changing my views from my original post -- things like this should indeed be addressed in the Windows API. I still maintain that these are not necessary for security issues, but they would certainly help for application integrity.

You completely fail to understand it.

[Mensa+Babe]

And, of course, MS can take any criticism of its software and use that to better its software. When confronting an opponent, you don't tell him of all the weaknesses you see, do you?

An "opponent"? Well, I don't actually know you, you are apparently a CEO of Apple, I don't know, if Microsoft is your "opponent." This, or you are one of those "leat" Linux cheerleaders I've been hearing so much about. No, Microsoft is not an "opponent" for free software movement. In fact, look at where Microsoft was back in 1971-1983. It is not "coolness" (or "leatness" if you will) competition. I want to make it clear: If Microsoft suddenly patches every flaw, including the EULA, and releases a great free software project, I will tell everyone to use it. Period

Limiting scope of messaging?

[cait56]

Allowing "ad hoc" messaging between programs is one of the best methods for allowing users to customize interactions between seperate applications. This was applied with great success using ARexx on the Amiga, and some using OSA/Applescript on Mac OS.

So I do not believe it would be a good general solution to limit messaging to those paths pre-envisioned by the vendors themselves. Letting the reciever know what authority context the sender was operating in would be a better approach.

Re:Limiting scope of messaging?

[Webmonger]

Providing an authority context in the message solves the problem by putting the burden on vendors. Remember, vendors were s'posed to be avoiding this problem already, by using a non-privelaged UI (like, say, SSH does).

Since vendors don't place a high enough priority on security, it seems like someone is going to have to take care of it for them. If a program wants to accept messages other programs it should declare so explicitly.

Otherwise, what's to prevent a trojan from using QuickBooks to find out your credit card number? Both programs probably have the same privilages, but QuickBooks has access to data that no other program should have. Ad hoc scripting, by definition, permits this possibility.

Finally, I seriously question the value of accepting messages from other programs that cause you to execute a function of the other program's choosing. I can't see any legitimate use for this that justifies the risk.

get real

[dh003i]

Sure, if MS released everything under the EULA, it would not longer be the enemy. The superiority of software for GNU/Linux is another issue, entirely separate.

But that's not -- ever -- going to happen. So, since MS will never release FS/OSS, they are the enemy, and always will be.

I would like some security inside the OS.

[Futurepower(R)]

That seems right to me. However, in the real world can I expect all programmers to realize this and comply? If I could get it, I would like some security inside the OS.

How do Linux and BSD deal with this issue? Is there any way to achieve privilege escalation by interfering with other processes? I don't understand it well, but the answer seems to be no.

Re:I would like some security inside the OS.

"How do Linux and BSD deal with this issue?"

Unix deals with this socially. People wouldn't buy/run a program that pops up a desktop window owned by root. Other than that, it has the same issues.

IPC should be opt-in rather than opt-out.

[Futurepower(R)]

An additional point: I would like the cross-privilege interprocess communication system to be opt-in rather than op-out. There should be a special call for programs that expect to communicate across privilege levels. That would make it easy to write a report that would find all such programs. That way I could decide if I trusted those programs, and if they were corrupted by a hacker or not.

It seems sensible that the API for communicating across privilege levels would have special checking, and a system of reporting that could be started to resolve questions about the operation of any one system.

A trusted Apps

[Archfeld]

table seems like a fairly simple solution, maybve too simple I am sure I am overlooking somthing

Is it really that simple?

[Futurepower(R)]

Is it really that simple? Windows has numerous system windows that are hidden, that, according to the developer of the shatter attack, could also be used to implement the attack. My understanding is that Linux and BSD have nothing like that. In Windows, system windows are used for other purposes than GUI display.

Re:FP!

I have read your extensive flame and I object. I am not"secretive". (Anonymous Coward is my real name.)

Please, someone just shoot

[pair-a-noyd]

the damn thing and get it over with.

M$ is such a broken peice of crap that there is no repairing it.

Everything M$ puts out is virusware.