Misuse of ShellAbout() API could allow elevation of privilege Affected system: Korean version of Windows XP, 2003 and Office 2003 1. Abstraction With ShellAbout() API vulnerability, you can get a 'LocalSystem' privilege just mouse clicking. No shellcode or exploit code is needed. ShellAbout() API displays 'shell about dialog box' as shown in (picture 2) below. If you click 'End-User License Agreement' link in about box, program will execute notepad.exe and display 'EULA'. If the program which displays about box is running as LocalSystem account, it will execute notepad.exe as LocalSystem account too. In result, attacker can gain LocalSystem authority taking advantage of the notepad.exe process. To test this vulnerability, I used a shell about dialog box of korean IME language bar attached to winlogon.exe process. Because winlogon.exe process was running as LocalSysem account, I could control the notepad.exe process which has LocalSystem authority. 2. Test environment Korean Windows Server 2003, Enterprise Edition, Service pack 1 Korean Windows XP Professional, Service pack 2 3. Reconstruction step - Korean Windows Server 2003 Above-mentioned, I used winlogon.exe process to test the vulnerability. Winlogon.exe process handles many things about user session. The main job is transacting logon process with user name and password. In case of windows korean edition, korean IME is attached to the user name edit control. if you click right-button on the korean IME language bar and select about box item in context menu like (picture1), 'shell about dialog box' will be displayed as shown in (picture 2). And if you click 'End-User License Agreement' link, notepad.exe process will be created as LocalSystem. If you are connected to local session, winlogon.exe process displays the notepad.exe in 'Service-0x0-3e7$\Default' desktop which is for window services and if you are connected to remote session, it will displays notepad.exe in 'WinSta0\Default' desktop which is for current user. Of course we can find some cases that notepad.exe process is displayed in 'WinSta0\Default' desktop even if it is local session, but we will only consider remote session case as a matter of convenience. So if you use windows xp you may activate 'remote desktop' and, if you use windows server 2003 you may install 'terminal service'. Now, logon the server with remote desktop client program as follows. I will discribe reconstruction step using 'Korean Windows Server 2003, Enterprise Edition'. 1) Select 'about korean IME' context menu item After connecting to terminal service, do right-click on korean IME language bar which is attached to user name edit control in 'Windows Logon' dialog box. And select 'about korean IME' context menu item which displays 'shell about dialog box'. (picture1) 2) Click 'End-User License Agreement' link If you click 'End-User License Agreement' link, notepad.exe will be executed. (picture2) As shown in (picture3), winlogon.exe process creates notepad.exe as 'LocalSystem' account. But notepad.exe isn't displayed because current desktop is 'WinSta0\Winlogon' and notepad's desktop is 'WinSta0\Default'. (picture3) 3) Logon as non-privileged user 'test' If you logon as common user 'test' who has no administrative authority, you can see the notepad.exe process in 'WinSta0\Default' desktop. (picture4) This notepad.exe process is created by winlogon.exe process as 'LocalSystem' account, and user 'test' can do everything with 'LocalSystem' authority. For example, user 'test' can modify system files to his or her own thing with 'Save As' common control as shown in (picture 4). 4) Advanced topic: Hack without logon id or password. Until now, we see that how to gain 'LocalSystem' privilege for non-privileged user 'test'. If so, is there any ways to gain 'LocalSystem' privilege without logon id or password? After step 2), click 'cancel' button on login screen. You don't have to write logon id or password. Just before the disconnection, 'notepad.exe' is displayed before the user for a split second. And at this point, if you can do a mouse click to notepad, you can gain 'LocalSystem' privilege of all 3389 port opened windows 2003 server korean edition, just mouse clicking. Think details.. Copyright (c) 2006 VMCraft, Inc.