Microsoft Window Utility Manager Local Elevation of Privileges July 13, 2004 Credit: This vulnerability was researched and discovered by Cesar Cerrudo. Risk Level: High Summary: A local elevation of privileges exists in the Windows Utility Manager which allows any user to take complete control over the operating system. This vulnerability affects the Windows 2000 operating system family. Details: The Microsoft Windows 2000 operating system family supports a feature called Accessibility Options. Accessibility Options are a series of assistive technologies within Windows that help users with disabilities access the functions of the operating system. They can be enabled or disabled using shortcuts built into the operating system or through the Accessibility Utility Manager. The Accessibility Utility Manager allows users to start, stop, or monitor accessibility programs such as Microsoft Magnifier, Narrator, On-Screen Keyboard, etc... The Utility Manager can be invoked by pressing +U or, if the user is an Administrator, by executing "utilman.exe /start" from the command line. The Utility Manager runs as a Windows service enabled by default. When executed it runs within the interactive desktop with Local System privileges. Utility Manager supports context sensitive help which was accessed by clicking the "?" on the title bar of the Utility Manager window and then clicking an object or by pressing F1 key after selecting an object. To display the context sensitive help, Utility Manager loaded winhlp32.exe. However it did not drop System privileges when doing so meaning that winhlp32.exe was executed under the Local System account. Microsoft fixed this vulnerability with patch MS04-011. The patch failed to fix the problem because it only removed the context sensitive help from the Utility Manager GUI preventing help from being invoked from the main screen. However, the patch did not remove/disable the functionality used by the application to launch the context sensitive help (see ¹ for more details). Utility Manager continues to load winhlp32.exe without dropping privileges meaning that winhlp32.exe is still run under Local System account. A user need only to send several Windows messages and winhlp32.exe will be launched. From there, the user can open any file as a Local System account. To exploit the vulnerability, an attacker would need only to run the following code: //get window handle lHandle=FindWindow(NULL, "Utility Manager"); //send right click on the app button in the taskbar or Alt+Space Bar PostMessage(lHandle,0x313,NULL,NULL); Sleep(100); //send WM_COMMANDHELP 0x0365 lParam must be<>NULL SendMessage(lHandle,0x365,NULL,0x1); After this code has been executed, winhlp32.exe will ask the attacker to locate the umandlg.hlp help file. The attacker can then select "Yes" and an Open dialog will be shown. The attacker can then search and select cmd.exe. The attacker will then have a shell running under Local System privileges. Note: It seems that Visual C++ MFC (Microsoft Foundation Class) (see ²) will automatically include help functionality in an application regardless of whether or not this functionality will be utilized. Therefore, when coding desktop applications that will run with elevated privileges, remove all help functionality or drop account privileges before loading the help. Links: (Previous vulnerability) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en http://www.appsecinc.com/resources/alerts/general/04-0001.html (Current vulnerability) 1. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/html/_mfcnotes_tn028.asp 2. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_help.3a_.f1_and_shift.2b.f1_help.asp 3. http://www.microsoft.com/technet/security/bulletin/ms04-019.mspx Workaround: Disable Utility Manager Service. Fix: http://www.microsoft.com/technet/security/bulletin/ms04-019.mspx Acknowledgement: Thanks to Brett Moore and Esteban Martinez Fayo. -- _____________________________________________ AppSecInc Team SHATTER Tel: 1-866-927-7732 E-mail: shatter@appsecinc.com Web: www.appsecinc.com Application Security, Inc. "Securing Business by Securing Enterprise Applications"