>Microsoft Window Utility Manager Local Elevation of Privileges
<snip>
>To exploit the vulnerability, an attacker would need only to run the
>following code:
>
>After this code has been executed, winhlp32.exe will ask the attacker to
>locate the umandlg.hlp help file. The attacker can then select "Yes" and
>an Open dialog will be shown. The attacker can then search and select
>cmd.exe. The attacker will then have a shell running under Local System
>privileges.
This isn't quite right - on my system at least, browsing for cmd.exe
in this way generates an error:
"The C:\WINNT\system32\cmd.exe file is not a Windows Help file, or the
file is corrupted."
That said, the file dialog can be made to display a ListView control
(display details rather than a list). This ListView control will
accept both WM_SETTEXT (to inject shellcode into the caption of the
window) followed by LVM_SORTITEMS (which specifies the address for a
sort function) to execute said code. It is a valid method for
arbitrary code execution as LocalSystem, but not quite as simply as
Vivek makes out.
Chris
--
Chris Paget
ivegotta (at) tombom.co (dot) uk [email concealed]
>Microsoft Window Utility Manager Local Elevation of Privileges
<snip>
>To exploit the vulnerability, an attacker would need only to run the
>following code:
>
>After this code has been executed, winhlp32.exe will ask the attacker to
>locate the umandlg.hlp help file. The attacker can then select "Yes" and
>an Open dialog will be shown. The attacker can then search and select
>cmd.exe. The attacker will then have a shell running under Local System
>privileges.
This isn't quite right - on my system at least, browsing for cmd.exe
in this way generates an error:
"The C:\WINNT\system32\cmd.exe file is not a Windows Help file, or the
file is corrupted."
That said, the file dialog can be made to display a ListView control
(display details rather than a list). This ListView control will
accept both WM_SETTEXT (to inject shellcode into the caption of the
window) followed by LVM_SORTITEMS (which specifies the address for a
sort function) to execute said code. It is a valid method for
arbitrary code execution as LocalSystem, but not quite as simply as
Vivek makes out.
Chris
--
Chris Paget
ivegotta (at) tombom.co (dot) uk [email concealed]
[ reply ]