Shatter attack
From Wikipedia, the free encyclopedia
In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop. This could result in a privilege escalation exploit.
[edit] Overview
Shatter attacks became a topic of intense conversation in the security community in August 2002 after the publication of Chris Paget's paper titled, "Exploiting design flaws in the Win32 API for privilege escalation". The paper, which coined the term "shatter attack", explained the process by which an application could execute arbitrary code in another application. This could occur because Windows allows unprivileged applications to send messages to message loops of higher-privileged application - and some messages can have address of callback function in application's address space as its parameter. If an attacker manages to put his own string into the memory of the higher-privileged application (say by pasting shellcode to an edit box) at a known location, they could then send WM_TIMER messages with callback function parameters set to point to the attacker's string.
A few weeks after the publication of this paper, Microsoft responded, noting that: "The paper is correct that this situation exists, and it does correctly describe its effect. ... Where the paper errs is in claiming that this is a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there."
[edit] Solutions
In December 2002, Microsoft issued a patch for Windows NT 4.0, Windows 2000, and Windows XP that closed off some avenues of exploitation. This was only a partial solution, however, as the fix was limited to services included with Windows that could be exploited using this technique; the underlying design flaw still existed and could still be used to target other applications or third-party services. With Windows Vista, Microsoft aimed to solve the problem in two ways: First, local users no longer log in to Session 0, thus separating the message loop of a logged-in user's session from high-privilege system services, which are only ever loaded into Session 0. Second, a new feature called "User Interface Process Isolation" (UIPI) was introduced, whereby processes can be further protected against shatter attacks by assigning a "privilege level" to each process. Attempts to send messages to (or interact with in any way via the Windows API) a process with a higher privilege level will fail, even if both processes are owned by the same user. Internet Explorer 7, for example, utilizes this feature to prevent its rendering components from interacting with the rest of the system.
[edit] References
- Paget, Chris (August 2002). Exploiting design flaws in the Win32 API for privilege escalation.. (from web.archive.org)
- Information About Reported Architectural Flaw in Windows. TechNet. Microsoft (September 2002). (from web.archive.org)
- Microsoft Security Bulletin MS02-071 – Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310). Microsoft (December 11, 2002). Retrieved on 2006-07-18.