COMMAND

	Wrong  programming  practice   leads   to   compromise   of   priviledge
	applications

SYSTEMS AFFECTED

	Potentially all Windows applications

PROBLEM

	Foon  [ivegotta@tombom.co.uk]   describes   in   his   whitepaper,   the
	consequences of not respecting the  compartimented  security  model  for
	message queueing :
	

	 Introduction

	 ============

	

	This paper presents  a  new  generation  of  attacks  against  Microsoft
	Windows, and possibly other message-based windowing systems.  The  flaws
	presented in this paper are, at the  time  of  writing,  unfixable.  The
	only reliable solution to these attacks requires functionality  that  is
	not present in Windows, as well as efforts on the part of  every  single
	Windows software vendor. Microsoft has known about these flaws for  some
	time; when I alerted them to this attack, their response was  that  they
	do not class it as a flaw - the email can be found here.  This  research
	was sparked by comments made by Microsoft VP  Jim  Allchin  who  stated,
	under oath, that there were flaws in Windows so great  that  they  would
	threaten national security  if  the  Windows  source  code  were  to  be
	disclosed. He mentioned Message Queueing, and immediately regretted  it.
	However, given the quantity of research currently  taking  place  around
	the world after Mr Allchin's comments, it is about time  the  white  hat
	community saw what is actually possible.
	

	This paper is a step-by-step walkthrough of how to exploit  one  example
	of this class of flaw.  Several  other  attack  methods  are  discussed,
	although examples are not given. There are many ways  to  exploit  these
	flaws, and many variations on each of  the  stages  presented.  This  is
	just one example.
	

	 ============

	

	Read the complete paper with sample exploit code for Network  Associates
	VirusScan v4.5.1 at :
	

	http://security.tombom.co.uk/shatter.html

	

	

	

	 Update (12 August 2002)

	 ======

	

	In the same vein  Symeon  (simos)  Xenitellis  published  some  research
	documents and proof of concepts :
	

	http://www.isg.rhul.ac.uk/~simos/pub/

	http://www.isg.rhul.ac.uk/~simos/event_demo/

	

	

	 Update (22 August 2002)

	 ======

	

	Chris Bellers says VNC (all releases) is vulnerable too :
	

	"The only pertinent info to be added  is  that  the  "Add  new  clients"
	dialogue box was  used  to  send  the  shellcode.  To  demonstrate  this
	oneself, simply s/NAV/VNC in the Paget document."

SOLUTION

	Florian  Weimer  [Weimer@CERT.Uni-Stuttgart.DE]  argues  that  new   api
	concepts of "window stations"  and  "desktops"  with  separate  sets  of
	hooks, separate message queues, and so on  are  availbale  in  (recent?)
	current windows API set.