Exploiting design flaws in the Win32 API for privilege escalation.

Chris Paget ^ | 03/06/2002 | Chris Paget

[RedBloodedAmerican]

But thats not the case. Even in the reply email the author got, the writer explained it in simple terms, no?

[Bush2000]

As a matter of fact, Dude, Microsoft believes that bugs should not be publicized.

And where in that article does it say that MS is lobbying Congress to have laws put in place to outlaw disclosure? That was your contention. Put up or shut up.

[Bush2000]

Why don't you just admit that the Win32 API was never designed for a multi-user environment and no one should be using it as such?

Dude, trying reading a bit about NT security and ACLs. I don't have time to educate you.

[eno_]

Win32 API != NT. Read up on NT architecture. NT could just as well have run PM instead of Win32. What you see here is an example of how a UI from a system with weak protection is difficult to bring forward into one with strong protection. Apple chose to break with the past in OS X and confine old software to compatibility boxes.

[E. Pluribus Unum]

And where in that article does it say that MS is lobbying Congress to have laws put in place to outlaw disclosure? That was your contention. Put up or shut up.

"The fact that [eEye] explained how the virus works, to the point of explaining how you execute the code that exploits it, was too much information," (Microsoft's Richard L.) Smith says.

Publishing bug exploits will be classified as an act of terror, Dude. You can get anything past Congress these days in the name of anti-terror. The DMCA already made it a crime to reverse-engineer encryption schemes. The precedent has been set to criminalize detailed examination of any proprietary code.

[zx2dragon]

DMCA and one company has already used it to quash bug reports.

[Bush2000]

DMCA and one company has already used it to quash bug reports.

I could care less about some random company. We were talking about Microsoft. Where's evidence that it has used or tried to use DMCA to squash bug reports?

[Bush2000]

Win32 API != NT.

No kidding, Sherlock. But Win32 does call into the NT kernel to do messaging and windowing.

[TheEngineer]

I don't understand why a "system/root"-process such, as this anti-virus program, should be allowed to provide a GUI (with widgets such as edit-boxes, buttons, etc.) to a "guest" user. Isn't this the crux of the problem?

[sourcery]

Windows NT Virtual Memory: Process Address Spaces

[sourcery]

I don't understand why a "system/root"-process such, as this anti-virus program, should be allowed to provide a GUI (with widgets such as edit-boxes, buttons, etc.) to a "guest" user. Isn't this the crux of the problem?

The "crux" of the problem depends upon the assumptions one makes. The problems with windows often result from more than one cause, all of which are necessary for a particular problem to exist. So naming one of the causes as the "crux" is like identifying one of the legs of a tripod as "the" leg that makes the object a tripod.

The problem isn't so much a particular note, musician or instrument: it's the symphony as a whole.

[KayEyeDoubleDee]

So that's how The Dark Side works!!! Thanks for the info.

(just kidding about the evil empire thing. I could just as easliy make jokes about pigeon-holing myself into a Unix box)

[zx2dragon]

HP is hardly some random company and even though they backed down (eventually), they have the right under DMCA.

You expect them to write laws for specific companies now?

[Bush2000]

HP is hardly some random company and even though they backed down (eventually), they have the right under DMCA. You expect them to write laws for specific companies now?

MS has been the target of a large number of bug reports and it hasn't ever asserted any legal rights under DMCA. Don't you ever get tired of unjustified paranoia?

[discostu]

This isn't news. This is how automation testing software works. Everybody that should know already knows about hijacking the message loop. Don't think I've ever seen anybody use this for malicious code, and the message loop goes all the way back to the beginning, it's how Windows has always worked. Much ado about nothing.

[discostu]

So you think MS is trying to put Charles Petzold in jail?!
http://www.amazon.com/exec/obidos/ASIN/157231995X/qid=1028842355/sr=8-2/ref=sr_8_2/102-4431279-7256124

I learned all about the message loop from the edition of this book that was current in '94 when I learned to program for Windows. Of course MS publishes the book so if they really wanted to hide this information it would be hidden. All that's happened is a few people put a couple of 2's together and learned the existence of 4.

[supercat]

This isn't news. This is how automation testing software works. Everybody that should know already knows about hijacking the message loop.

Certainly there are legitimate reasons for an application to send many types of messages to windows it doesn't own. Some of these pose some security risks if unrestricted (e.g. posting keyboard events) but are clearly useful in other cases. Others (e.g. 'save edit field to memory') have no legitimate cross-application use and are the source of the security holes discussed here.

[E. Pluribus Unum]

So you think MS is trying to put Charles Petzold in jail?!

Did Charles Petzold publish explicit instructions on malicious hacking of Windows for fun and profit!?

[discostu]

Charles Petzold published specific instructions on how to send messages on the Windows Message Loop and how the loop works. And all his books are published by MS. Not sure how anyone could consider the loop Windows deep dark secret since they've been publishing books that give you explicit instructions on how to use it for a decade.

[discostu]

i don't deny that there are potential security issues in the loop. What I deny is that this was something MS has been hiding from people and only astute investigation by watchdoggers have exposed it. Anybody that ever learned Windows programming from the books MS publishes knows about the loop, it's been well documented since the 16-bit days. What I find shocking is that apparently so many people never heard of it before.