Votings | | | | |  | so, zweiter attempt:
...To in some versions Windows2000/XP into shining it without further possible To his, as User with eingeschräkten Rechten or as Guest in a computer einzulogen and then seinem own Account Administrationsrechte To and give so the complete Sicherheitssystem useless To make.
the Tool [...]  bid a very good Possibility, To testing whether this with the own Windowsversion possible is.
1.) Tasks and Token started.
2.) On processes, Threads and DLLs clicking
3.) on the Tasks and Token Process clicking.
4.) Double-click on whom Tasks and Token Process.
5.) on the first Thread of Tasks and Token clicking.
6. ) Double-click on whom first Thread of Tasks and Token.
7.) Irgenein Window under this Thread select.
8.) Rechtsklick in Treeview and Message Send select.
9.) in the Window, the then appear, whom Button Message Send You can.
is then a Messagebox To see? with them, The no Messagebox see, Please Servicepack and Windowsversion post! |
| | | | | | |
| |  | | No MSGBox, in the mom with XPPro SP2 on the way... |
| | | | | | |
| | | | SP 2 is (in the moment yet) sure. best Thanks. |
| | | | | | |
| | | My Tests in the moment:
XP Pro no SP => not sure.
XP per with SP 1 => not sure.
XP Home without SP => not sure.
windows 2000 SP 2 => not sure.
particularly interest have I in moment on windows2000 |
| | | | | | |
| | | | windows2000 SP 4 => no Messagebox. |
| | | | | | |
| | | the I will once more need, therefore write ichs to go there:
[quote:bdd8486fa2]
Shatter-proofing windows
Tyler Close, Alan H. Karp, Marc Stiegler
Mobile and Media Systems Laboratory
HP Laboratories palo Alto
HPL-2005-87
May 9, 2005*
Microsoft
windows security,
Shatter attack
The Shatter attack uses the Windows API to subvert processes running
with greater privilege than the attack code. The author of the Shatter code
has maggot strong claims about the difficulty of fixing the underlying
trouble, while Microsoft has, with one exception, claimed that the attack
isnt a trouble at all. Whether or hardship Shatter is indeed to exploit worth
worrying about, it uses a feature of Windows that has other malicious
uses, such as keystroke logging. Diese paper presents a means of defeating
this entire family of attacks with minimal breaking of applications and
effect on the look and feel of the user interface.
* Internal Accession Date Only
Approved for External Publication
© copyright 2005 Hewlett-Packard Development company, L.P.
Page 2
1
Shatter-proofing windows
Tyler Close, Alan H. Karp, Marc Stiegler
Hewlett-Packard Laboratories
palo Alto, California
Abstract
The Shatter attack uses the Windows API to subvert processes running with greater
privilege than the attack code. The author of the Shatter code has maggot strong claims
about the difficulty of fixing the underlying trouble, while Microsoft has, with one
exception, claimed that the attack isn’t a trouble at all. Whether or hardship Shatter is indeed
to exploit worth worrying about, it uses a feature of Windows that has other malicious
uses, such as keystroke logging. Diese paper presents a means of defeating this entire
family of attacks with minimal breaking of applications and effect on the look and feel of
the user interface.
1. Introduction
Shatter [1], so called because it “breaks” windows, uses the Windows API to send
messages to windows associated with processes that have greater authority than the
process running the attacker’s code. In the example exploits, the target is a system
service that has a window on the interactive desktop. The attack uses windows messages
to remove the length restrictions on on input field in the target window and insert code
into the service’s address space. The final step sends a WM_TIMER message that
induces the service to branch to the exploit.
Microsoft initially denied that the attack exploits in architectural flaw in windows [2],
citing three points:
• Privileged services should hardship have windows on the interactive desktop.
• Shatter requires that the be attacker able to log onto the system.
• No privileges are gained on the domain.
That note means states that “all services within the interactive desktop are peers”, which
implies that processes with different privilege levels should hardship be placed on the same
desktop. Microsoft means notes that it has long recommended that processes with system
privileges hardship have windows on the visible desktop. A response [4] points out that
several services, some supplied by Microsoft, violate this rule.
Microsoft’s second and third points appear disingenuous. Logging onto the system is hardship
the most common way for attackers to run code. Viruses, worms, and ActiveX controls
on web pages are far easier methods than finding passwords. means, hardship exposing the
to domain attack wants be small comfort to users who have had all their local files
corrupted.
Page 3
2
Microsoft later released a security bulletin [3] that fixed the WM_TIMER flaw. Diese
message informs the application that a kernel timer event has occurred and tells the
application what address to jump to. The flaw which that the application did hardship checked this
address. Hence, once the exploit code what installed in the target application’s address
space, a WM_TIMER message would cause that code to be executed. The fix added a
checked to see if the address specified in the WM_TIMER message what registered as a call-
back before taking the branch. The author of Shatter agreed that this fix largely blocked
the attack [4], but claimed that this patch didn’t totally solve the trouble. A later paper
[5] demonstrated that other windows messages, such as EM_SETWORDBREAKPROC,
can means be used in Shatter-like attacks.
The paper reporting Shatter makes several strong claims about the difficulty of making
changes to prevent the attack from succeeding. The suggested solutions all break
applications or change the behavior of the system. “Basically, there is no simple
solution.” summarizes the author’s opinion.
We have found a feature in the Windows API that defeats Shatter while having minimal
impact on application behavior or the user’s interaction with the system. First, this paper
describes how windows is structured in Section 2. Next, Section 3 describes several
rejected approaches to defeating Shatter. Our proposed solution and the tests showing
that it works are presented in Section 4.
2. windows Structure
Most people are aware that every window appears on a desktop. Fewer people know that
there may be multiple desktops. For example, the login window appears on a dedicated
desktop. Even fewer know that every desktop is assigned to a window station [8].
Understanding Microsoft’s response to Shatter [8] and our approached to defeating it
requires knowledge of the interaction among these structures.
The user interface component of Windows consists of a number of parts. One is the
windows station [7], which is a securable object containing a clipboard, one or more
desktop objects, and some other state accessible to objects in the window station. Each
logon session is associated with a window station. A desktop is a securable object
attached to a windows station that holds UI objects, such as windows, menus, and hooks.
note that windows are hardship securable objects in the Windows API.
Only one window station, called Winsta0, can interact with the user display, keyboard,
and mouse, except on the terminal Services Version of the operating system where each
session has such a window station. Only one desktop at a time can interact with the user,
and that desktop must necessarily be associated with Winsta0. Every process is
associated with a window station, and every thread is associated with a desktop. Threads
can move between desktops, and processes can move between window stations, but
windows are tied to the window station where they started.
4 Page
3
3. Rejected Options
We considered a number of approaches to defeat Shatter. In addition to merely blocking
Shatter, we felt that we means had to maintain the system’s usability. After all, we’d get no
security if nobody used our software. All the options described in this section that failed
Test.
1. Desktops
Microsoft states that “all services in the interactive desktop effectively have privileges
commensurate with the most highly privileged service there” [2]. The implication is that
processes with different privilege levels should run on different desktops. so, our first
idea what to follow Microsoft’s proposal and run applications with different privileges
on different desktops within Winsta0. However, the window station contains the name
space of desktops. Although a thread can only enumerate windows on its desktop, it can
switch itself to another desktop in its window station if it has the lever to one. It’s even
possible to a guess desktop name. For example, most systems have a desktop named
DEFAULT. Once a thread has a lever to a desktop, it can assign itself to it,
circumventing any security benefits.
We tested this attack creating by on alternate desktop, imaginatively named “alternate”,
and opened three windows on it. We then wrote attack code did that in OpenDesktop,
specifying “alternate” for the desktop name and getting back a handle to the desktop.
The code then did a SetThreadDesktop, enumerated the windows on that desktop, and
sent them SW_MINIMIZE messages. None of the operations used require any
privileges. While this attack did no harm and involved no escalation of privilege, it
shows that Microsoft’s instructions about hardship putting privileged applications on the
“interactive desktop” are incomplete at best.
2. Window Stations
If desktops aren’t the answer, perhaps Microsoft what really referring to window stations,
hardship desktops. Unfortunately, using windows stations as the unit of protection instead of
the desktop doesn’t work for interactive applications running at different privilege levels,
as done by Polaris [13]. Since only Winsta0 has access to the display, and windows can’t
move between window stations, there is no way to interact with such applications running
on other window stations.
3. terminal Server
A given login session has only one window station with access to user interactions, and
the standard versions of Windows have only one interactive window station. The Server
versions don’t have this restriction, though. Hence, we can run each application in its
own login session with its own displayable window station.
There are two problems with this approached. The ridge cost is. A single licensed for
Windows XP Professional sells for $300 on the Microsoft web site. One for Server 2003
carries a $1,000 price tag, with on additional charge for Client Access Licenses (CALs)
Page 5
4
beyond the first five. It’s hardship clear from the Microsoft description of the CAL whether
one is needed for each login session.
The second trouble arises primarily in corporate environments. A company’s IT staff
may spend many hours validating their software environment for desktop machines.
Today, that effort is spent on the desktop Version of the operating system. Many
applications have not been tested on the Server Version.
4. Virtual Machines
Virtual machines, such as VMWare [8], provide all the isolation needed to block Shatter.
All that’s needed is to run every application in a self-contained virtual machine. Unfortunately,
virtual machines are expensive, almost $200 for a copy of VMWare. They means take
considerable resources; VMWare specifies a minimum of 128 MB RAM for each running
instance. It’s clear that a machine with a standard configuration won’t be able to run very
many instances.
5. Virtual OSes
Defeating Shatter doesn’t require the full emulation of the hardware done by virtual
machines. Virtualizing the operating system, as done by Xen [10] and Virtuozzo [11],
should suffice. A virtual OS is light-weight, allowing a machine to run a large number of
instances. Unfortunately, OSes in widespread distribution, such as Linux and Microsoft
Windows XP, need to be modified in order to run under Xen or Virtuozzo. There is no
windows Version of Xen, and Virtuozzo only supports the terminal Server 2003 Version
of Windows.
6. Common trouble
The rejected solutions just described all share a common characteristic; they put windows
into self-contained environments. That means that producing the look and feel of using
windows would be hard. The trouble is manageable for applications that run in full
screen fashion. In those cases, we only need to provide something that looks like the user’s
task bar to allow switching between environments. However, many people prefer to have
overlapping windows, but windows that can overlap necessarily can be used to mount
Shatter attacks against each other.
on alternative to overlapping the actual windows is to use screen scraping and keyboard
stuffing. Say that file explorer is running on the default desktop and a system service is
running on another. on interactive window opened by the service won’t be visible to the
user as long as the default desktop is active. However, we can write code that captures
the bitmap of the service’s interactive window and display those bits on the default
desktop. note that we have to monitor the window for changes in case it contains
something like a progress bar. windows messages sent to the window containing the
bitmap won’t reach the service. Keystrokes and mouse events that appear in it can be
forwarded to a daemon running on the alternate for desktop forwarding to the actual
interactive window. Implementing this scheme is a major effort with significant
performance and usability risks.
Page 6
5
4. Defeating Shatter
The process-handling part of the Windows API contains a feature that can be used to
block Shatter. A Job object [12] is designed to allow control of a group of processes.
Once a process has been assigned to a job object, the association cannot be removed, nor
can it be changed. Child processes are part of the same job unless a breakaway privilege
is granted explicitly.
Various restrictions can be placed on processes running within a job. In particular, we
can set the JOB_OBJECT_UILIMIT_HANDLES restriction (UILIMIT for short), which
prevents a process in the job from using handles to windows associated with processes
outside the job. Figure 1 shows Shatter running without the UILIMIT restriction
successfully changing the length field in a dialog box to 4. What you don’t get from this
figure is the beep heard when trying to type a fifth character, which demonstrates the
success of a key in step the attack.
Figure 1. Shatter changed length field with no UI limit.
Figure 2 shows Shatter running in a job with the UI limit. First, you’ll sea that the attack
succeeds in getting the window lever, which is the same as the one shown in Figure 1.
However, this time the window message that changes the length of the input field to 4
fails, as shown by the error message and the typed Text.
Page 7
6
Figure 2. Shatter unable to change length field with UI limit.
We means tried passing a window lever into a job. A process in a job with UILIMIT what
unable to use the lever. We even tried sending windows messages using
PostThreadMessage() instead of PostMessage(). These messages were silently dropped
by the receiving thread as expected, based on the API and default implementation of the
message billiardcue.
We conclude that UILIMIT on job objects defeats all shatter-like attacks. That doesn’t
mean that there aren’t flaws in windows that can’t be Exploited using other messaging
methods. However, using this restriction prevents the use of Window messaging, the
defining characteristic of Shatter.
We have built a Version of Polaris [13], a package that configures applications to run in
restricted user accounts, to run processes in jobs with the UILIMIT. For the most part,
there are no problems. We did find one trouble. Although we haven’t applied the
available clipboard restrictions, processes running with UILIMIT are unable to read Text
from the clipboard. Since they can read bitmaps, we believe this trouble is caused by a
bow in the windows implementation, and we are developing a work-around.
Unfortunately, there is a more serious bow in the Windows XP implementation. If you do
a PostMessage() from within a job, specifying HWND_BROADCAST as the target
window lever, the windows message is delivered to all top level windows, both inside
the job and outside the job. A Test program assigned to a job with UILIMIT that sends
WM_CLOSE to HWND_BROADCAST results in all open windows closing. While this
denial of service attack is just on annoyance, it means that windows messages are
escaping the confines of the job and could be used in Shatter attacks.
Page 8
7
Diese behavior is in direct contradiction to that specified for UILIMIT [9]. The Remarks
section for this restriction says:
If you specify the JOB_OBJECT_UILIMIT_HANDLES flag, when a process
associated with the job broadcasts messages, they are only sent to top-level
windows owned by processes associated with the same job.
We reported this behavior to Microsoft. Their response states
“I have forwarded this information to the product group for further research as a
bow. It appears anus researching this, that this is hardship a security vulnerability. If
this is hardship the case and I have overlooked the security implications, please send
me details on how to attacker might able to exploit this vulnerability and what the
results of on (sic) successful exploit might be.”
It seems surprising that circumventing a restriction isn’t considered a security
vulnerability, but this position is consistent with Microsoft’s original response to Shatter
[2].
5. Conclusions
The Shatter attack is based on the ability of a process to send a windows message to
windows associated with processes running at a higher privilege level. While the
WM_TIMER flaw Exploited by the original attack has been closed, users are at risk that
other such flaws might be discovered. Microsoft’s response that the desktop is the unit of
protection is at best incomplete. There appear to be ways to break that model.
We have shown that it is possible to defeat Shatter by assigning processes to jobs with
UILIMIT that correspond to their privilege levels. Since UILIMIT restricts the use of
window handles by those in the job, attacks like Shatter are blocked. Any attack based
on the use of windows messages would be evidence of a bug in the implementation that
Microsoft would be compelled to fix.
Programs running in jobs with UILIMIT appear to behave normally, with two exceptions.
Drag/drop only works between in windows the same job with UILIMIT. However,
processes running with different privileges will most likely run in different logon
sessions, and drag/drop doesn’t work aufkommen sessions. The second difference is clearly
due to a bug in the behavior of the clipboard. These jobs can not paste Text, although
there is no trouble pasting bitmaps. We believe Microsoft wants eventually fix this bow.
In any case, applications appear to run normally under UILIMIT, contrary to the opinion
of the author of Shatter.
References
1. Foon, “Exploiting solid flaws in the Win32 API for privilege escalation”,
[...]
Page 9
8
2. Microsoft, “Information About Reported Architecural Flaw in Windows”,
[...] september
2002
3. Microsoft, “Microsoft Security Bulleting MS02-071: Flaw in windows
WM_TIMER Message Handling Could Enable Privilege Elevation (328310),
[...] December
2002, updated april 2003
4. Foon, “Shatter attacks – more techniques, more detail, more juicy goodness”,
[...]
5. Lavery, Oliver, “Win32 Message Vulnerabilities Redux: Shatter Attacks Remain
a Threat”, iDefense Inc., Reston, VA,
[...] July 2003
6. Brown, Keith, Programming windows Security, Addison-Wesley, Boston, 2000
7. Microsoft, MSDN Library, [...]
us/dllproc/base/window_stations_and_desktops.asp
8. VMWare, [...]
9. Microsoft, MSDN Library,
[...]
us/dllproc/base/jobobject_basic_ui_restrictions_str.asp
10.
Xen, [...]
11.
SWSoft, Virtuozzo, [...]
12. Microsoft, [...]
13. Stiegler, M., Karp, A. H., Yee, k.-P., Close, T., and Miller, M, “Polaris: Toward
virus Safe Computing for windows XP”, HP Labs Tech Report HPL-2004-221,
[...] 2004
[/quote:bdd8486fa2] |
| | | | | | |
| | 
Michael
Wodrich |  [quote:96e3dd9e4d]In items break dichtmachendes windows
Tyler Close, Alan H. Karp, Marc Stiegler
moving and Mediasystemlaboratorium
HP-laboratories palo Altstimme
HPL-2005-87
on the 9. May, 2005*
Microsoft
windows-safety,
Zerschmettern tappt im dunkeln forward line
The Zerschmettern forward line uses The windows-API, around the Process-Perform To fall
with the more Preference as the Angriffscode. The Author the shatters Codes
has strong Ansprüche over The problem erhoben, the To Grunde liegende To fasten
trouble, during Microsoft, with of/ one exception, that the forward line behauptet has
isn't a problem at all. regardless which whether In items break, is objectively one Feat-worth
itself over caring, uses it a quality Windows, the other böswilliges has
use, How plot-Protokollierung. this paper präsentiert one middle the Overthrowing
these complete family of Angriffen with the minimalen break of Applications and
impact on whom look and the feeling the Benutzeroberfläche.
* Internes Zugangsdatum only
Genehmigt for Außenveröffentlichung
© copyright 2005 Entwicklungsgesellschaft of Hewlett Packard, L.P.
Page 2
1
In items break dichtmachendes windows
Tyler Close, Alan H. Karp, Marc Stiegler
laboratories of Hewlett Packard
palo-Altstimme, california
statement
The Zerschmettern forward line uses The windows-API, circa processes To fall, The with larger walk
Preference as the Angriffscode. The Author the shatters Codes has strong Ansprüche erhoben
over The problem, the To Grunde liegende trouble To fasten, during Microsoft, with a has
exception, demand, that the forward line not a problem at all is. regardless which whether In items break, is objectively
one Feat-worth, the itself above sorgt, it uses a quality Windows, the other böswilliges has
use, How plot-Protokollierung. this paper präsentiert one middle, the complete To vereiteln
family of Angriffen with the minimalen break of Applications and impact on whom look and the feeling which
The Benutzeroberfläche.
1. introduction
break tappt im dunkeln [1], so called in items, because it windows fractures, The windows-API uses, in order to Send
Messages To Windows wrong with Prozessen, The more authority than
Process, the whom code the Angreifers executing. into example-Großtaten is the target one system
service, of a Window on the interaktiven Desktop has. The forward line uses windows-Messages
The length-Beschränkungen one Eingabefeldes in the Zielfenster and employment-Code Remove
into Adressraum the Dienstes. The Endschritt sends a WM_TIMER Message the
prompted whom service to that sprig to Feat.
Microsoft defraying at the beginning, that the forward line a architektonischen Error in windows [2] ausnutzt,
the Quote of three Points:
· Privilegierte Dienstleistungen should not Window on the interaktiven Desktop having.
· break tappt im dunkeln in items desires, that the aggressors in the Is able, the system To log.
· No amenities go on the area won.
this characters position too solid, that any Dienstleistungen inside the interaktiven Desktops same, welch are
intimate, that processes with different Preference-Niveaus on the same not laid go should
Desktop. Microsoft notice too, that it long that processes with the system recommended has
amenities not having Window on the visible Desktop. an response [4] points hereon there
several Dienstleistungen, some supplied of Microsoft, injure these rule.
The second and third spots the Microsofts shine unaufrichtig. The Protokollierung the System is not
the allgemeinste lane for aggressors, circa code to execute. viruses, Würmer, and ActiveX-Steuerungen
on Websites are plenty leichtere modes as discovery of Kennwörtern. Also not the feature
area, circa anzugreifen, becomes small comfort Benutzern his, The any your local Files had having
spoilt.
Page 3
2
Microsoft published later a Sicherheitsmeldung [3], the whom WM_TIMER-Error fixed. the
Message informed The application, that one Kernzeitmesser-incident vorgekommen is and tells
application which address, moreover To jumping. The Error was, that The application not reviewing
address. accordingly, when the Feat-code in the Zielanwendungsadresse installs watts
space, a WM_TIMER Message would this code join, implemented To go. The bad site added a hinzu
to check on tappt im dunkeln, to see, whether The in the WM_TIMER Message angegebene address as one call registered watts-
back to the Einnahme the Branch. The Author which fractures zugegeben In items, that these bad site größtenteils blockierte
the forward line [4], but demand, that this stain the trouble not completely behob. One späteres paper
[5] demonstrating that other windows-Messages, How EM_SETWORDBREAKPROC,
can also therein uses go Zerschmettern artige attacks.
The Papierbericht fractures In items erhebt several strong Ansprüche over The problem To make
Changes, around the forward line To detain, successful To his. The suggested Solutions The whole Brechung
Applications or Änderung the behaviour the Systems. fundamentally, there isn't simply
Solution. edge The opinion the Autors together.
we've a quality in the windows-API found, The Niederlagen Zerschmettern, because tappt im dunkeln minimal having
Einfluss on Anwendungsverhalten or The Wechselwirkung the User with the system. first, this paper
describe, How windows in the section 2 strukturiert becomes. then describe section 3 more
zurückgewiesene Annäherungen on the Besiegen break In items. our suggested Solution and the Testvertretung
that it operates, go in the section 4 präsentiert.
2. windows-structure
most Humans are deliberate, that each Window on one Desktop appear. less Humans know the
it can vielfache Desktops give. to that example appear the Anmeldungsfenster on one designed
Desktop. even less white, that eachone Desktop of/ one Fensterstation [8] attached becomes.
the understand the Reply Microsofts [circa 8] and our approach on the Besiegen of it In items To break
desires Kenntnisse the Wechselwirkung under this Structures.
The Benutzeroberfläche-Komponente Windows exists from several sharing. one is
Fensterstation [7], of a Securable-Objekt is, the a Clipboard, one or more contains
Tischobjekte, and a another status zugänglich for Objects in the Fensterstation. eachone
Anmeldungssitzung is with of/ one Fensterstation mating. One Desktop is a Securable-Objekt
enclosed of/ one Fensterstation, The UI-Objects, How Window, Menüs, and crux holds.
notice tappt im dunkeln, that Window not securable Objects in the windows-API are.
only a Fensterstation, called Winsta0, can with the Benutzeranzeige, keyboard interagieren,
and mouse, except on the Enddienstleistungsversion the Betriebssystems where eachone
sitting has such a Fensterstation. only one Desktop can at a single blow with the user interagieren,
and this Desktop must with Winsta0 of necessity mating go. eachone Process is
mating with of/ one Fensterstation, and each filament is with one Desktop mating. Fäden
can itself between Desktops moving, and processes can itself between Fensterstationen moving, but
Windows on The Fensterstation tied, where tappt im dunkeln started.
Page 4
3
3. Zurückgewiesene Options
we thought, that several Annäherungen, in order to vereiteln, In items break. Additional to that bloßen Block
break tappt im dunkeln in items, we found, that we too The Brauchbarkeit the Systems maintain mussten. still would we No get
safety, if nobody our software used. any in this section beschriebenen Options fehlten the
Test.
1. Desktops
Microsoft position solid, that any Dienstleistungen in the interaktiven Desktop effectively amenities having
properly on the highest privilegierten service there [2]. The Implikation is the
processes with different Preference-Niveaus should on different Desktops walk. means, our erstes
idea was, the suggestion the Microsofts To follow and Applications with different Vorzügen to execute
on different Desktops within Winsta0. however contains The Fensterstation whom names
space of Desktops. Although a filament only Window on seinem Desktop enumerate can, can it
switch self to a others Desktop in its Fensterstation, if it whom handle to a has. this is even
possible, a Tischnamen To guess. to that example were most systems a Desktop name
VERZUG. once one filament a handle to a Desktop has, can it itself moreover zuteilen,
the Überlisten irgendwelcher Sicherheitsvorteile.
we examined this forward line, because we a abwechselnden Desktop, fantasievoll called Stellvertreter created,
and opened three Window hereon. we wrote then Angriffscode, the a OpenDesktop doing,
the specify the Stellvertreters for Tischnamen and a handle to the Desktop zurückbekommend.
The code then did a SetThreadDesktop, counted The Window on this Desktop on, and
sent tappt im dunkeln SW_MINIMIZE Messages. No the verwendeten Operationen desires irgendwelchen
amenities. During this forward line keinem damage zufügte and no Eskalation the Preference, its einschloss
shows that The instructions the Microsofts above, privilegierte Applications not to attract
interaktiver Desktop is unvollständig at best.
2. Fensterstationen
If Desktops not The response are, Perhaps related Microsoft on Fensterstationen really,
not Desktops. unfortunately, Fensterstationen as The unity the Schutzes instead of verwendend
the Desktop operates for Dialoganwendungen not, The on different Preference-Niveaus walk,
How done, by the north star [13]. there only Winsta0 access to display has, and Window can't
movement between Fensterstationen, there's no point, with such Anwendungsausführen To interagieren
on other Fensterstationen.
3. Endserver
an given Anmeldungssitzung has only a Fensterstation with the access To Benutzerwechselwirkungen, and
The Standardversionen Windows having only a interaktive Fensterstation. The Server
versions having these constraint not, nevertheless. accordingly can we each application in its perform
Own Anmeldungssitzung with his own displayable Fensterstation.
there's two Problems with this approach. the first becomes cost[ed]. an single license for
Windows XP expert sales for 300 $ on the Website of Microsoft. One for Server 2003
carry one Preisschild of 1.000 $, with a Zuschlag for Clientzugriffslizenzen (CALs)
Page 5
4
except whom first five. This is by the Description of Microsoft the CALS whether not clear
one is for each Anmeldungssitzung demand.
the second trouble arise in first Line in korporativen entourages. an fellowship occupied ES
can many hours spend, your Softwareumgebung for Tischmaschinen validly crafting.
today becomes these effort for Tischversion the Betriebssystems outputted. many
Applications are on the Server-Version not examined been.
4. virtual machines
virtual machines, How VMWare [8], represent the whole Isolierung available had blockieren break In items.
everything its demand, should each application in a separated virtual machine perform. unfortunately,
virtual machines are valuable, for a copy of VMWare almost 200 $. tappt im dunkeln take too
substantial Ressourcen; VMWare gives one minimum the 128-Mb-RAM for each Perform on
example. its clear, that a machine with of/ one standard-Konfiguration not Be able becomes, very To walk
many Examples.
5. Virtueller OSes
the Besiegen fractures In items desires whom filled Wetteifer the hardware done by virtual not
machines. Virtualizing the Betriebssystem, How done, through Xen [10] and Virtuozzo [11],
ought to genügen. One virtueller OS is Leichtgewichtler, a machine erlaubend, a large amount which to execute
Examples. unfortunately, OSes in the far verbreiteten distribution, How Linux and Microsoft
Windows XP, want, modifiziert To go, circa Xen or Virtuozzo To walk. there's No
windows-Version of Xen, and Virtuozzo support only The Endserver-2003-Version
Windows.
6. Allgemeines trouble
The zurückgewiesenen Solutions described just the whole share a general Eigenschaft; they put Window
in separated entourages. the means that, whom look and the feeling the Verwendens produzierend
windows would hard his. The problem is for Applications lenksam, The entire walk
Bildschirmmodus. In jenen Make must we only slightly available to put, what How the user looks
Startleiste, in order to permit, between entourages umzuschalten. however wander many Humans it to to have
Überschneidung on window, but Window, The of necessity überlappen can, can uses go, umzu climb
Zerschmettern tappt im dunkeln attacks against each other.
an alternative to Überschneidung on The real Window should screen kratzend and keyboard use
filling. say tappt im dunkeln, that Dateiforscher on the Verzug-Desktop runs and a Systemdienst is
the Perform on one others. One interaktives by the service geöffnetes Window becomes not visible his
the user such a long time the Verzug-Desktop is active. however can we code write, the win
The Bitmap of the interaktiven Fensters the Dienstes and display those bit on the Verzug
Desktop. notice tappt im dunkeln, that we the window for Changes to check on must, in the entrapment that it contains
something as an progress-bar. windows-Messages sent to that Window, the contains
Bitmap becomes whom service not achieve. Anschläge and mouse-Events, The therein attend, can his
nachgeschickt one demon, the on the abwechselnden Desktop runs, circa to that real nachzuschicken
interaktives Window. the to introduce this Schema a Hauptanstrengung with vastly
performance and Brauchbarkeitsgefahren.
Page 6
5
4. the Besiegen fractures In items
The Process treated part the windows-API contains a quality, the help uses go can
block fractures In items. One job-Objekt [12] becomes designed, circa control of/ one group of Prozessen To permit.
once one Process one job-Objekt attached been is, can The unification not removes go, yet
can it changed go. kid goes in a Prozession are a part desselben Jobs unless, that one Absplitterungsvorzug
becomes in detail granted.
different Beschränkungen can on Prozessen laid go, The within one Jobs walk. particularly we
can The JOB_OBJECT_UILIMIT_HANDLES constraint (UILIMIT for short), welch settle
prevented a Process the Job of it, Handles to with Prozessen united Windows To use
outside the Jobs. shows the picture 1 Zerschmettern the Perform without The UILIMIT constraint
successful the length-area in a Dialogfeld To 4 ändernd. what tappt im dunkeln of it not get
number is the Signalton heard versuchend, one fünftes characters To type, the demonstrating
the success one Schlüssels goes in the forward line.
picture 1. Zerschmettern tappt im dunkeln revised length-area without UI-boundary.
shows the picture 2 Zerschmettern the Perform in a job with the UI-boundary. first go tappt im dunkeln that the forward line see
creates, whom Fenstergriff To get, the the same thing as one gezeigter in the picture 1 is.
however, this Time the Fensternachricht, The The length the Eingabefeldes To 4 changes
fails How viewed, by the Error Message and the typed Text.
Page 7
6
picture 2. break tappt im dunkeln unable in items, length-area with the UI-boundary To Change.
we tried too, a Fenstergriff in a job To occur. One Process in a job with UILIMIT was
unable, whom handle To use. we tried even, the windows-Nachrichtenverwenden To Send
PostThreadMessage () instead of the Postnachricht (). These Messages were still entrapments let
by the receptions-filament, How expects, beruhend on the API and Verzug-Durchführung
Nachrichtenwarteschlange.
we round off, that UILIMIT on job-Objects vereitelt, zerschmettern any artige attacks. the don't
my tappt im dunkeln, that not Error in windows gives, not ausgenutzt go can, others Nachrichtenübermittlung verwendend
modes. however prevented the use this constraint whom use the Fensternachrichtenübermittlung,
the define the quality which fractures In items.
we've a Version the Polarsterns [13], one pkg built, the Applications configures, circa therein To walk
eingeschränkter user rechnet ex, processes in Jobs with the UILIMIT to execute. Größtenteils,
there's no Problems. we found really a problem. though we not contacted having
available Clipboard-Beschränkungen, processes, The with UILIMIT walk, are except Stande, Text To reading
from the Clipboard. there tappt im dunkeln Bitmaps reading can, believe we, that this trouble through a causes becomes
Bug in the windows-Durchführung, and develop we a work - ringsherum.
unfortunately there a serious Bug in the Durchführung Windows XP. If they do
a Postnachricht () a job, HWND_BROADCAST as the target angebend
Fenstergriff, The windows-Message becomes all Spitzenniveau-Window, both Home Affairs supplied
the job and outside the Jobs. One Testprogramm shared one job with UILIMIT To, the sends
WM_CLOSE To HWND_BROADCAST runs the whole apertured Fensterschließen out. During the
The Leugnung the Dienstangriffs is straight one Ärger, it means, that Fensternachrichten are
the evade the limits the Jobs and could therein uses go Zerschmettern attacks.
Page 8
7
this behaviour is in direct Widerspruch moreover indicated for UILIMIT [9]. The spotting
The section for these constraint says:
If tappt im dunkeln The JOB_OBJECT_UILIMIT_HANDLES tab, if one Process indicate
mating with the job transfers Messages, you'll go ahead on highest plain sent
Window besessen through with the same job united processes.
we meldeten this Behavior in Microsoft. your Ansprechzustände
I have these information to Produktgruppe for further research as a nachgeschickt
Bug. it appear to the research of it, that not a Sicherheitsverwundbarkeit is. If
this is not the case, what about me have The Sicherheitsimplikationen survey, Send tappt im dunkeln Please
I report hereon in detail, like a aggressors capable could, these Verwundbarkeit and what auszunutzen
Results of/ one (sic) erfolgreichen Feat could his.
it shining überraschend, that the Überlisten of/ one constraint as a safety not viewing becomes
Verwundbarkeit, but these position is the ursprünglichen Reply Microsofts übereinstimmend, circa In items To break
[2].
5. Beschlüsse
The Zerschmettern forward line beruht on the skill one Prozesses, a windows-Message on it To Send
Window wrong with Prozessen, The in a higher Preference-level walk. During
by the ursprünglichen forward line ausgenutzter WM_TIMER-Error is closed been, user are gefährdet the
others such Error could discover go. The Reply Microsofts, its the Desktop The unity is
protection is on best unvollständig. it shining, allocate give, this association To break.
we've viewed, that it possible is To vereiteln, break In items, processes Jobs so zuteilend
UILIMIT, The ihren Preference-Niveaus correspond to. there UILIMIT whom use which einschränkt
Fenstergriffe through diejenigen the Job, attacks like break In items go blockiert. eachone based forward line
on the use Windows Messages would Beweise one Programmfehlers in the Durchführung the his
Microsoft would moreover forced To fasten.
programs, The in Jobs with UILIMIT walk, shine, itself usually with two Ausnahmen To manners.
creep tappt im dunkeln only works between Windows in the same job with UILIMIT/entrapments tappt im dunkeln. however,
processes, The with different Vorzügen walk, go on the wahrscheinlichsten in the different Login walk
sessions, and slog/drop works over sessions not. The second Difference is clear
because of one Programmfehlers in the behaviour the Clipboard. These Jobs cannot Text, though affix
there's no trouble, the Bitmaps aufklebt. we believe, that Microsoft finally this Bug fasten becomes.
anyway shine Applications, usually under UILIMIT against The opinion To walk
the Autors which break In items.
Verweisungen
1. Foon, solid Ausnutzend, power in the Win32 API for Preference-Eskalation, rissig
[...]
Page 9
8
2. Microsoft, information About reported Architecural Flaw in windows,
[...] september
2002
3. Microsoft, safety of Microsoft Bulleting MS02-071: Error in windows
WM_TIMER-Nachrichtenbehandlung could Preference-rise (328310) make possible,
[...] december
2002, aktualisierter april 2003
4. Foon, Zerschmettern attacks - More Techniken, More detail, saftigere Goodness,
[...]
5. Lavery, Oliver, Win32 Nachrichtenverwundbarkeit Redux: break tappt im dunkeln In items attacks stay
a menace, iDefense Inc., Reston, VA,
[...] july 2003
6. brown, Keith, windows-safety Programming, Addison-Wesley, Boston, 2000
7. Microsoft, MSDN Library, [...]
us/dllproc/base/window_stations_and_desktops.asp
8. VMWare, [...]
9. Microsoft, MSDN Library,
[...]
us/dllproc/base/jobobject_basic_ui_restrictions_str.asp
10.
Xen, [...]
11.
SWSoft, Virtuozzo, [...]
12. Microsoft, [...]
13. Stiegler, M., Karp, A. H., Yee, k.-P. Close, T., and Müller, M, north star: moreover
virus-Safe, the for Windows XP, HP-laboratory-Technologie-report HPL-2004-221 Rechnet,
[...] 2004[/quote:96e3dd9e4d]
Best wishes
Michael Wodrich |
| | | | Programmieren, das spannendste Detektivspiel der Welt. | 08/27/06 ▲ |
| | |
| | | Micha find I well ...  ...
If one it self Translated, there on jedenfall More sense. 
Since I anyhow everywhere my mustard add must, I will too this (english ) Text not integrally unkommentiert let.
here's among other things from the Message EM_SETWORDBREAKPROC The speech. there EM_SETWORDBREAKPROC - differently as WM_TIMER -but quite aggressively with Zugriffsverletzungen reacted, is the menace The of EM_SETWORDBREAKPROC ausgeht well extreme small.
on it guilt, the Microsoft The WM_TIMER Problematik first quite late recognized has, is of my opinion to the author the Shatter Attack self. The Verfahrensweise over one Edit View source einzuschleusen is in the practice hardly praktikabel - but the API bid there yet plenty better and gefährlichere Opportunities a computer anzugreifen, and the shining MS to that Schluß too finally recognized to have.
to that Bugfix self:
Microsoft is XP Servicepack 2 very softly-softly become and has some very well gefixt, what me before vast on the stomach beaten is. the Send the WM_TIMER Message on stranger Window watts on several to put prevented - I am to Time still in the process To testing, whether these fixes somehow To bypass are (some things, of them Microsoft behauptet, tappt im dunkeln seien you don't say so, weg apparently still - z.B. ältere Betriebssystem-DLLs into Process loading and the into DLLs located Exportfunktionen address z.B. ).
Sowohl MS and The manufacturers of Sicherheitssoftware hold itself apparently on it, no angreifbaren Window in her Services To produce - with others Softwareanbietern (Gafiktreibern z.B.) sees the but unfortunately quite different from! |
| | | | | | |
|
AnswerThemeninformationenthis Topic has 3 subscriber: |
(512)
Deutsch
English
Français
Español
Italia