A New Avenue of Attack: Event-driven system vulnerabilities


Author:
Symeon (simos) Xenitellis
Homepage

Affiliation:
Information Security Group,
Royal Holloway,
University of London,
TW20 0EX


News

08/May/2002: Presentation of paper titled Security Vulnerabilities in Event-Driven Systems at the IFIP/SEC2002 conference in Egypt.
07/Jul/2002: Announcement of this page at the vuln-dev mailling at SecurityFocus.
08/Jul/2002: Presentation of paper titled A New Avenue of Attack: vent-Driven System Vulnerabilities at the ECIW conference in London..
06/Aug/2002: An e-mail sent to Bugtraq by Chris Paget about his tutorial on event-driven system vulnerabilities titled White paper: Exploiting the Win32 API.. From this posting it was sent to SlashDot, TheRegister, KuroShin and so on.
08/Aug/2002: An e-mail to the NT-Bugtraq mailling list by Andrey Kolishak mentioning the WM_TIMER issue. It mentions a reference to an MSJ article that I did not know about.
10/Aug/2002: The PDF versions of the papers have been updated. The changes were mostly cosmetic (now hyperref is used). They are available at the same locations below.
11/Aug/2002: From a bugtraq posting, there has been an advisory from @stake (DilDog) in Sep2000 of a vulnerability that leads to privilege elevetion through event exploitation.
16/Dec/2002: A CVE candidate of a bug involving event manipulation in Windows has been opened as CAN-2002-1230. It was filed on the 21Oct2002 to cover the exploit application GetAd.c.
16/Dec/2002: Microsoft released a patch to address the vulnerability of the WM_TIMER message that accepts a callback function address as part of the payload. The bug is filed as MS02-071. This patch does not appear to address the root of the problem, it only relieves some symptoms. Sadly, no references have been made in the advisory about prior work on this type of vulnerability.

Abstract

This page describes security vulnerabilities in event-driven systems. Common event-driven systems are the Microsoft Windows* operating systems and graphical environments, the X Window System and the Java Virtual Machine. Among those, Microsoft Windows is analysed here. For an academic analysis, read the first paragraph of the Introduction below which has links to two papers. For a less academic overview, continue reading this page.

Introduction

With reference to the papers entitled " Security Vulnerabilities in Event-Driven Systems" and "A New Avenue of Attack: vent-Driven System Vulnerabilities", we provide demonstrations to the practical examples described in the papers.

The demonstrations were carried out on Windows XP Professional and Windows 2000. The screenshots are from Windows XP. Some of the screenshots were taken with the "traditional" Windows XP theme, thus it looks like Windows 2000.

Firstly, in an event-driven system, an application receives events from input devices (such as mouse and keyboard) as well as from other applications.

For example, the events that Notepad receives when someone types something it it are shown here:

Capturing events from Notepad.exe

You can see the "c" letter being pressed.

Denial of service

For this example to work, one would normally need a mouse with three buttons. The Microsoft IntelliMouse with a wheel is also sufficient as it works like a third button as well. Additionaly, one should install the Logitech MouseWare mouse utilities (installed by default in many mouse/laptop configurations). These utilities are available for free from the Logitech WWW site.

After installation, one needs to enable the middle button to act as a "Double click" button. That is, when one clicks the middle button, a double click event is sent to the application. If someone has a two mouse button, s/he can temporarily set the double-click functionality to the right button (if s/he is a right-handed PC user).

The dialog that sets the middle button to act as double click looks like this.

MouseWare utility dialog box


Subsequently, the user should run Notepad.exe and type dummy text so that both the verical and horizontal scrollbars are enabled.

Notepad is ok now

We focus on the horizontal scrollbar. The user should click on the left arrow button of the scrollbar and hold the mouse button. At the same time, the mouse pointer moves on the middle of the horizontal scrollbar, while the mouse button is still pressed. Finally, the middle button (associated with double-click) is pressed.

The scrollbar gets confused and looks like the following.

Notepad dizzy


And the following. (release mouse buttons and try to move the scrollbar as normally)

Notepad dizzi alternative

The author discovered the above feature in 1993 while he was an owner of a Logitech mouse, running Windows 3.1 and an old version of the MouseWare utilities. Subsequently, he found the same behaviour on Windows 95, Windows 98, Windows 2000 and Windows XP.

Modification of running application

When a user installs an application, s/he has to accept a use license of the software. This is typically called the End-User License Agreement (EULA). If the user chooses not to accept the license, the application does not install. We show how to change the visual content of the license.

Such a EULA window looks like this

EULA window

Using a special application that can send custom events to specific windows, we send the appropriate event to convert the text box of the license to a editable text box. The result looks like this.

EULA melted

The white colors signifies that changes can take place. One can change to the following.

EULA changed

Finally, the text box is changed again to read-only in order to look more similar with the original.

New EULA

Note: This does not seem to invalidate the license of the application. What we showed here is the same thing as unwrapping the box of shrink-wrapped software in a dark room and carefully disposing the license material. Thus, you will probably not bypass the license with the above procedure, at least in most Western countries. Let's add that the changes take place in the running application only. Running the application again will obviously show the initial dialog.

Unauthorised access to objects

If you want to capture the password from an application like the following

Password dialog box

or the following

Run as

and the only method is by sending events, then events can help you. Let me say here that it is easier to capture the events sent to the events sent to an application by using keyboard hooks. However, if the attacker is running under a different user than the victim, you cannot place a hook (Windows 2000 and Windows XP).

One could send the appropriate events to copy the password field to the clipboard and paste it to the attacker application. Clipboards are shared. However, this cannot be done because the textbox of the password is marked as one for passwords. The copy attempt does not work.

But not all is lost. One can send the appropriate event to convert the password textbox to a textbox that has the password character set to ''. This makes the textbox behave as a normal textbox. Then, the copy procedure can take place.

Programmatically, one can unset the password character, copy and paste the password and set it back again without the end-user realising.

To automate this, we wrote a client application. The result for both applications shown above looks like

Password stealing 1

and

password stealing 2


The source code is available here while you can also download at your own risk statically linked with regards to the MFC libraries or dynamically linked with regards to the MFC libraries archives.

The way this program works is a bit peculiar. It has to be the active application while you move the mouse pointer over other Windows. This way it will be able to extract information about other windows in the least intrusive way. Once the exact victim has been selected, use the keyboard shortcuts in order to choose the action, like "Melt", "Freeze" and so on. MySpy knows who is the victim and the action you want to carry out.

Using functionality from Windows 2000 or Windows XP, you can run MySpy as a normal user (using the RunAs functionality) and attack applications that belong to an administrative account.

Execution of custom/malicious code

Specific event types carry payload such as addresses to procedures to be executed. Thus, an attacker only needs to know a specific address in the address space of the victim application in order to exploit. To make matters worse, if the attacker can put custom code in the address space of the victim, s/he can execute it.

One way this can be done is with the WM_TIMER event. This events accepts as an optional argument the address to code to be executed.

Sending the WM_TIMER event with a random address produced in our case the following

explorer crashed with wm_timer

and by delving into more details

more  



Author: Symeon (simos) Xenitellis, available at: simos74 at gmx dot net
Affiliation: Information Security Group, Royal Holloway, University of London, TW20 0EX

Last modified: Thu Aug 8 21:38:42 BST 2002