Message Pump Security Flaw
-
http://www.theregister.co.uk/content/4/26561.html[^] Make of this what you will. I'm sure loads of people here are familiar with posting messages to other apps windows - e.g. to make them minimise or something e.g. http://www.thewonderfulicon.com/[^] Okay - a bit of bad handling on the Timer event, and having an NT service running in the system account, putting a window on a users desktop is a plain bad implementation. There are ways described all over the place for controlling NT services though the registry, and moitoring values being changed, or go the whole hog and write an MMC snap-in. Hmm. As far as I can tell though just about every other GUI system implements the message pump principle with a switch statement. Apple bought it off Xerox. Digital Research stole it from Apple as did Microsoft but they managed not to have to pay out when they got sued - unlike DR. So are they not all possibly open to an attackalong similar lines? Just think about all the 'Macro recording tools out there' not VB macros', the old fashioned peeking at another windoes message pump. Hmm.
-
http://www.theregister.co.uk/content/4/26561.html[^] Make of this what you will. I'm sure loads of people here are familiar with posting messages to other apps windows - e.g. to make them minimise or something e.g. http://www.thewonderfulicon.com/[^] Okay - a bit of bad handling on the Timer event, and having an NT service running in the system account, putting a window on a users desktop is a plain bad implementation. There are ways described all over the place for controlling NT services though the registry, and moitoring values being changed, or go the whole hog and write an MMC snap-in. Hmm. As far as I can tell though just about every other GUI system implements the message pump principle with a switch statement. Apple bought it off Xerox. Digital Research stole it from Apple as did Microsoft but they managed not to have to pay out when they got sued - unlike DR. So are they not all possibly open to an attackalong similar lines? Just think about all the 'Macro recording tools out there' not VB macros', the old fashioned peeking at another windoes message pump. Hmm.
Hehehe, 2nd repost in a day. :) Tim Smith "Programmers are always surrounded by complexity; we can not avoid it... If our basic tool, the language in which we design and code our programs, is also complicated, the language itself becomes part of the problem rather that part of the solution." Hoare - 1980 ACM Turing Award Lecture
-
Hehehe, 2nd repost in a day. :) Tim Smith "Programmers are always surrounded by complexity; we can not avoid it... If our basic tool, the language in which we design and code our programs, is also complicated, the language itself becomes part of the problem rather that part of the solution." Hoare - 1980 ACM Turing Award Lecture
-
http://www.theregister.co.uk/content/4/26561.html[^] Make of this what you will. I'm sure loads of people here are familiar with posting messages to other apps windows - e.g. to make them minimise or something e.g. http://www.thewonderfulicon.com/[^] Okay - a bit of bad handling on the Timer event, and having an NT service running in the system account, putting a window on a users desktop is a plain bad implementation. There are ways described all over the place for controlling NT services though the registry, and moitoring values being changed, or go the whole hog and write an MMC snap-in. Hmm. As far as I can tell though just about every other GUI system implements the message pump principle with a switch statement. Apple bought it off Xerox. Digital Research stole it from Apple as did Microsoft but they managed not to have to pay out when they got sued - unlike DR. So are they not all possibly open to an attackalong similar lines? Just think about all the 'Macro recording tools out there' not VB macros', the old fashioned peeking at another windoes message pump. Hmm.
This guy has never implemented a PE loader! Your app may (but most often won't) be remapped to any address and how in the world do I get the address of my code in a restricted process? You would have to write a custom PE loader and use MapViewOfFileEx with lpBaseAddress = null to allocate the code at (hopefully) a random position. Or maybe using LoadLibraryEx twice with different flags (does this work?). But you could still kill the app of course... Hehe, hijacking an X server would surely kill you at coding time :D, too complex for average windows coders.
-
http://www.theregister.co.uk/content/4/26561.html[^] Make of this what you will. I'm sure loads of people here are familiar with posting messages to other apps windows - e.g. to make them minimise or something e.g. http://www.thewonderfulicon.com/[^] Okay - a bit of bad handling on the Timer event, and having an NT service running in the system account, putting a window on a users desktop is a plain bad implementation. There are ways described all over the place for controlling NT services though the registry, and moitoring values being changed, or go the whole hog and write an MMC snap-in. Hmm. As far as I can tell though just about every other GUI system implements the message pump principle with a switch statement. Apple bought it off Xerox. Digital Research stole it from Apple as did Microsoft but they managed not to have to pay out when they got sued - unlike DR. So are they not all possibly open to an attackalong similar lines? Just think about all the 'Macro recording tools out there' not VB macros', the old fashioned peeking at another windoes message pump. Hmm.
I forgot: Iieks! This guy claims to code on 14 platforms???? Sheesh when you take C then you can code on almost every platform available ;P. I can code on 98% of all existing systems :D!
-
This guy has never implemented a PE loader! Your app may (but most often won't) be remapped to any address and how in the world do I get the address of my code in a restricted process? You would have to write a custom PE loader and use MapViewOfFileEx with lpBaseAddress = null to allocate the code at (hopefully) a random position. Or maybe using LoadLibraryEx twice with different flags (does this work?). But you could still kill the app of course... Hehe, hijacking an X server would surely kill you at coding time :D, too complex for average windows coders.
Colin Leitner wrote: Your app may (but most often won't) be remapped to any address Well, that's the idea i guess; if it works *most* of the time, it'll still cause a lot of mayhem. If people didn't see their software crashing all the time for no apparent reason, this sort of thing might ruin a "stealth" attack, but given the reality of computer software we'll just shrug and curse MS.
---
Shog9 If I could sleep forever, I could forget about everything...
-
I forgot: Iieks! This guy claims to code on 14 platforms???? Sheesh when you take C then you can code on almost every platform available ;P. I can code on 98% of all existing systems :D!
Colin Leitner wrote: I forgot: Iieks! This guy claims to code on 14 platforms???? Sheesh when you take C then you can code on almost every platform available. I can code on 98% of all existing systems :D! Yep, 14. I would take that as a bit of self advertising. Thinking about it, I could say, Commodore Pet, Vic 20, 64, Atari ST & variants (could get about 4 out there that I have touched e.g. STFM, STE, Falcon, TT), Dos - PC, DR, MS, Windows 3.11 to present, Unix - Solaris, HP-UX, Irix. And at work I have to use a mainframe though I know not what I do.:-D Never really used a Mac though for more that 10 minutes. Something I regret, as they look sooooo good. I think I beat him. Though on the majority of those I am schite. I wonder if he is any good.:)
-
I forgot: Iieks! This guy claims to code on 14 platforms???? Sheesh when you take C then you can code on almost every platform available ;P. I can code on 98% of all existing systems :D!