exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

msWinUtilMan.txt

msWinUtilMan.txt
Posted Jul 14, 2004
Authored by Cesar Cerrudo

A local elevation of privileges exists in the Windows Utility Manager which allows any user to take complete control over the operating system. This vulnerability affects the Windows 2000 operating system family.

tags | advisory, local
systems | windows
advisories | CVE-2004-0213
SHA-256 | 06783ccb4127e8dc09bf4a647613438415e9c60af8c3a29e7ebdd29c4ff3750f

msWinUtilMan.txt

Change Mirror Download
Microsoft Window Utility Manager Local Elevation of Privileges

July 13, 2004

Credit: This vulnerability was researched and discovered by Cesar Cerrudo.

Risk Level: High

Summary: A local elevation of privileges exists in the Windows Utility
Manager which allows any user to take complete control over the
operating system. This vulnerability affects the Windows 2000 operating
system family.

Details:
The Microsoft Windows 2000 operating system family supports a feature
called Accessibility Options. Accessibility Options are a series of
assistive technologies within Windows that help users with disabilities
access the functions of the operating system. They can be enabled or
disabled using shortcuts built into the operating system or through the
Accessibility Utility Manager. The Accessibility Utility Manager allows
users to start, stop, or monitor accessibility programs such as
Microsoft Magnifier, Narrator, On-Screen Keyboard, etc... The Utility
Manager can be invoked by pressing <Windows key>+U or, if the user is an
Administrator, by executing "utilman.exe /start" from the command line.
The Utility Manager runs as a Windows service enabled by default. When
executed it runs within the interactive desktop with Local System
privileges.

Utility Manager supports context sensitive help which was accessed by
clicking the "?" on the title bar of the Utility Manager window and then
clicking an object or by pressing F1 key after selecting an object. To
display the context sensitive help, Utility Manager loaded
winhlp32.exe. However it did not drop System privileges when doing so
meaning that winhlp32.exe was executed under the Local System account.
Microsoft fixed this vulnerability with patch MS04-011. The patch failed
to fix the problem because it only removed the context sensitive help
from the Utility Manager GUI preventing help from being invoked from the
main screen. However, the patch did not remove/disable the functionality
used by the application to launch the context sensitive help (see ¹ for
more details). Utility Manager continues to load winhlp32.exe without
dropping privileges meaning that winhlp32.exe is still run under Local
System account. A user need only to send several Windows messages and
winhlp32.exe will be launched. From there, the user can open any file
as a Local System account.

To exploit the vulnerability, an attacker would need only to run the
following code:

//get window handle
lHandle=FindWindow(NULL, "Utility Manager");
//send right click on the app button in the taskbar or Alt+Space Bar
PostMessage(lHandle,0x313,NULL,NULL);
Sleep(100);
//send WM_COMMANDHELP 0x0365 lParam must be<>NULL
SendMessage(lHandle,0x365,NULL,0x1);

After this code has been executed, winhlp32.exe will ask the attacker to
locate the umandlg.hlp help file. The attacker can then select "Yes" and
an Open dialog will be shown. The attacker can then search and select
cmd.exe. The attacker will then have a shell running under Local System
privileges.

Note:
It seems that Visual C++ MFC (Microsoft Foundation Class) (see ²) will
automatically include help functionality in an application regardless of
whether or not this functionality will be utilized. Therefore, when
coding desktop applications that will run with elevated privileges,
remove all help functionality or drop account privileges before loading
the help.

Links:
(Previous vulnerability)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
http://www.appsecinc.com/resources/alerts/general/04-0001.html

(Current vulnerability)
1.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/html/_mfcnotes_tn028.asp
2.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_help.3a_.f1_and_shift.2b.f1_help.asp
3. http://www.microsoft.com/technet/security/bulletin/ms04-019.mspx

Workaround:
Disable Utility Manager Service.

Fix:
http://www.microsoft.com/technet/security/bulletin/ms04-019.mspx

Acknowledgement:
Thanks to Brett Moore and Esteban Martinez Fayo.

--
_____________________________________________
AppSecInc Team SHATTER
Tel: 1-866-927-7732
E-mail: shatter@appsecinc.com
Web: www.appsecinc.com

Application Security, Inc.
"Securing Business by Securing Enterprise Applications"
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    45 Files
  • 9
    Dec 9th
    9 Files
  • 10
    Dec 10th
    6 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close