July 9th, 2003, 08:16 PM
Flaw in Windows Message Handling through Utility Manager
Title: Flaw in Windows Message Handling through Utility
Manager Could Enable Privilege Elevation (822679)
Date: 09 July 2003
Software: Microsoft(r) Windows (r) 2000
Impact: Privilege Elevation
Max Risk: Important
Microsoft encourages customers to review the Security Bulletins
- - - ---------------------------------------------------------------
Microsoft Windows 2000 contains support for Accessibility options
within the operating system. Accessibility support is a series of
assistive technologies within Windows that allow users with
disabilities to still be able to access the functions of the
operating system. Accessibility support is enabled or disabled
through shortcuts built into the operating system, or through the
Accessibility Utility Manager. Utility Manager is an
accessibility utility that allows users to check the status of
accessibility programs (Microsoft Magnifier, Narrator, On-Screen
Keyboard) and to start or stop them.
There is a flaw in the way that Utility Manager handles Windows
messages. Windows messages provide a way for interactive
processes to react to user events (for example, keystrokes or
mouse movements) and communicate with other interactive
processes. A security vulnerability results because the control
that provides the list of accessibility options to the user does
not properly validate Windows messages sent to it. It's possible
for one process in the interactive desktop to use a specific
Windows message to cause the Utility Manager process to execute a
callback function at the address of its choice. Because the
Utility Manager process runs at higher privileges than the first
process, this would provide the first process with a way of
exercising those higher privileges.
By default, the Utility Manager contains controls that run in the
interactive desktop with Local System privileges. As a result, an
attacker who had the ability to log on to a system interactively
could potentially run a program that could send a specially
crafted Windows message upon the Utility Manager process, causing
it to take any action the attacker specified. This would give the
attacker complete control over the system.
The attack cannot be exploited remotely, and the attacker would
have to have the ability to interactively log on to the system.
- An attacker would need valid logon credentials to exploit the
vulnerability. It could not be exploited remotely.
- Properly secured servers would be at little risk from this
vulnerability. Standard best practices recommend only allowing
trusted administrators to log on to such systems interactively;
without such privileges, an attacker could not exploit the
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at
for information on obtaining this patch.
Insert whitty tagline right here.
July 9th, 2003, 09:25 PM
This is yet another example of a core design flaw in NT. Messages are the primary way that windows interfaces receive user input. Good security practice suggests that all user input should be authenticated and sanitized before accepting it. Microsoft just doesn't know how to follow the simple things but bundles a bunch of security "tools" and "features" with its operating systems to try to disguise low level problems with high level tools. That just doesn't work out.
And, since I'm on a soapbox, Microsoft couldn't even do the firewall thing right because it had to give any local program the ability to modify firewall rules. WTF?
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
July 10th, 2003, 04:34 PM
I don't think this a "core design" flaw as you put it, and the vulnerability is not exploited through user input. The flaw allows a Windows interactive API to send a specially crafted message to the Utility Manager forcing code execution. The problem is a failure to check windows messages(specifically a LVM_SORTITEMS ) sent to the utility control for sanity and authentication. This is not a core flaw, but only a design flaw in the Utiliy Manager itself as well as fairly difficult to discover and exploit. This is no more a core flaw than any buffer overflow exploits available on any OS.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier