Exploiting design flaws in the Win32 API for privilege escalation.

Anybody that ever learned Windows programming from the books MS publishes knows about the loop, it's been well documented since the 16-bit days. What I find shocking is that apparently so many people never heard of it before.

First of all, it's well known that programs like Recorder can send fake keystrokes and other events to applications. Indeed, this ability allows for some useful functionality. The critical details noted in this particular exploit are that the system default handlers allow one application to use events to send any desired amount of data to any desired location within the other process's address space, and then to run the code (again within that other process's address space).

Yeah, that's how the messaging loop works. Not sure I'd go so far as to say you can send any ammount of data in the other apps memory space, you can send a pointer and that will be in the other program memory space. With OLE (oops, ActiveX, whatever they're calling it today) you get a lot more data sending ability. I learned all this in early 95 when I took a Windows Programming class that used Petzold's then current book (Programming for Windows 3.1 3rd Ed, copyright 1992, published by Microsoft Press). This was all known, including the dangers (we of course looked at them as bad things you can do on accident, any hacker would see it a little differently). You send the message with the appropriate arguements and the other program handles it, and yes everything after Windows giving the message and parameters to the other program happens in that program's address space, not the most secure design architecture in the world (arguably the least secure) but not a secret. Like I said, the only shock to me is that people didn't already know this, I learned it when I was a wet behind the ears college student, from a book published by MS. To me this news is about as shocking as the revelation that rain is wet.

Under the default message handlers for a textedit control, you can. That's one of the real problems here. A program may provide full validation for all the messages it process in its windows (and check for things like buffer overflow and such), and it may be designed so that an outside application could send any of the message it processes itself without security implications, but the default system handlers leave a great big gaping hole in security when they allow arbitrary read/write/execute to another application's process space.

So you think that because MS doesn't use it now, they won't ever use the DMCA to squash bug reports?

Here's a link to the Security Focus article on HP:
http://online.securityfocus.com/columnists/100

and they have the right idea, that the law needs to be "patched" so that companies cannot actually go after those who report bugs or vulns.

I have nothing against MS, I make a lot of money due to the fact that their OS is popular and buggy.

So you think that because MS doesn't use it now, they won't ever use the DMCA to squash bug reports?

I don't think it's likely. Watch Stanley Kubrick's "Dr. Strangelove or How I Learned to Stop Worrying and Love the Bomb". Paranoid is no way to live.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.