Title: Flaw in Windows Message Handling through Utility
Manager Could Enable Privilege Elevation (822679)
Date: 09 July 2003
Software: Microsoft(r) Windows (r) 2000
Impact: Privilege Elevation
Max Risk: Important
Bulletin: MS03-025
Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/sec...n/MS03-025.asp
http://www.microsoft.com/security/se...s/ms03-025.asp
- - - ---------------------------------------------------------------
Issue:
======
Microsoft Windows 2000 contains support for Accessibility options
within the operating system. Accessibility support is a series of
assistive technologies within Windows that allow users with
disabilities to still be able to access the functions of the
operating system. Accessibility support is enabled or disabled
through shortcuts built into the operating system, or through the
Accessibility Utility Manager. Utility Manager is an
accessibility utility that allows users to check the status of
accessibility programs (Microsoft Magnifier, Narrator, On-Screen
Keyboard) and to start or stop them.
There is a flaw in the way that Utility Manager handles Windows
messages. Windows messages provide a way for interactive
processes to react to user events (for example, keystrokes or
mouse movements) and communicate with other interactive
processes. A security vulnerability results because the control
that provides the list of accessibility options to the user does
not properly validate Windows messages sent to it. It's possible
for one process in the interactive desktop to use a specific
Windows message to cause the Utility Manager process to execute a
callback function at the address of its choice. Because the
Utility Manager process runs at higher privileges than the first
process, this would provide the first process with a way of
exercising those higher privileges.
By default, the Utility Manager contains controls that run in the
interactive desktop with Local System privileges. As a result, an
attacker who had the ability to log on to a system interactively
could potentially run a program that could send a specially
crafted Windows message upon the Utility Manager process, causing
it to take any action the attacker specified. This would give the
attacker complete control over the system.
The attack cannot be exploited remotely, and the attacker would
have to have the ability to interactively log on to the system.
Mitigating factors:
====================
- An attacker would need valid logon credentials to exploit the
vulnerability. It could not be exploited remotely.
- Properly secured servers would be at little risk from this
vulnerability. Standard best practices recommend only allowing
trusted administrators to log on to such systems interactively;
without such privileges, an attacker could not exploit the
vulnerability.
Risk Rating:
============
Important
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/sec...n/ms03-025.asp
http://www.microsoft.com/security/se...s/ms03-025.asp
for information on obtaining this patch.
Reply With Quote