<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft Window Utility Manager Local Elevation of Privileges



On Tue, 13 Jul 2004 16:00:33 -0400, you wrote:

>Microsoft Window Utility Manager Local Elevation of Privileges

<snip>

>To exploit the vulnerability, an attacker would need only to run the 
>following code:
>
>After this code has been executed, winhlp32.exe will ask the attacker to 
>locate the umandlg.hlp help file. The attacker can then select "Yes" and 
>an Open dialog will be shown. The attacker can then search and select 
>cmd.exe. The attacker will then have a shell running under Local System 
>privileges.

This isn't quite right - on my system at least, browsing for cmd.exe
in this way generates an error:
"The C:\WINNT\system32\cmd.exe file is not a Windows Help file, or the
file is corrupted."

That said, the file dialog can be made to display a ListView control
(display details rather than a list).  This ListView control will
accept both WM_SETTEXT (to inject shellcode into the caption of the
window) followed by LVM_SORTITEMS (which specifies the address for a
sort function) to execute said code.  It is a valid method for
arbitrary code execution as LocalSystem, but not quite as simply as
Vivek makes out.

Chris

-- 
Chris Paget
ivegotta@xxxxxxxxxxxx