Microsoft Windows Window Message Subsystem Design Error Vulnerability

Ovidio Mallo has developed a proof-of-concept utility (easy_shatter.rar); it has reportedly been tested successfully on Kerio Personal Firewall 2.1.4, WinVNC 3.3.7 and Sygate Personal Firewall Pro 5.0.

Chris Paget has developed a proof-of-concept utility. Additional proof-of-concept code for EM_SETWORDBREAKPROC has been developed by Oliver Lavery and is available in the referenced Win32 Message Vulnerabilities Redux paper.

An additional exploit has been contributed by consume.

Brett Moore has released shatterseh2.c as a proof-of-concept for the HDM_GETITEMRECT message. An additional proof-of-concept (mcafee-shatterseh2.c), which is based on shatterseh2.c, has been released by Oliver Lavery that abuses Tab Controls with McAfee AV products.

An additional proof-of-concept (shatterseh3.c) was provided by Brett Moore demonstrating how Shatter attacks can be used against applications which make use of progress bar controls. Brett Moore also released an exploit for statusbars (shatterstatus.c).

xenophi1e has released an exploit (commctrl-shatter.c) for Shatter attacks against Windows XP Visual Styles.

An exploit has been developed to take advantage of a shatter attack on the status bar of the disk defragmenter utility that is shipped with Windows XP. The exploit is not functioning correctly but can be found in the "status-bar SHATTER attack" message contained in the references section of this BID.


Privacy Statement
Copyright 2010, SecurityFocus