[40178] in bugtraq
Re: [Full-disclosure] Microsoft Windows keybd_event validation vulnerability
daemon@ATHENA.MIT.EDU (Jerome Athias)
Tue Sep 6 18:40:21 2005
Message-ID: <431D7B85.40301@free.fr>
Date: Tue, 06 Sep 2005 13:20:37 +0200
From: Jerome Athias <jerome.athias@free.fr>
MIME-Version: 1.0
To: Frederic Charpentier <fcharpen@xmcopartners.com>
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
In-Reply-To: <431D7582.2070207@xmcopartners.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000602050201010008060701"
This is a cryptographically signed message in MIME format.
--------------ms000602050201010008060701
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
It was posted by Andres Tarasco to full-disclosure allready
Additionaly:
1) french version of the advisory:
http://www.athias.fr/alertes-bulletins-securite/20050905_Microsoft.Windows_Validation.keybd_event.html
2) I use to use this trick to obtain SYSTEM privileges with just ADMIN
privileges:
AT 20:00 /INTERACTIVE cmd.exe
Cheers,
/JA
--------------ms000602050201010008060701
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPxDCC
BMgwggQxoAMCAQICBAIAApswDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNV
BAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw0w
MjA4MjcxOTA3MDBaFw0wNjAyMjMyMzU5MDBaMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UEChMO
Q29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYDVQQL
Ez1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5ldC9y
ZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQDEyND
b21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALEeYGbgQwaeJ2gvApnHiN+F69tl7NRJZ3ouH83cFSzWHqzynUY6XQPA
PQUsWhgNWSVCo3LArSjSrTwx4ksH+16Y66gz1mmyWp7qLEmmJi5M8MyrQNKq3ixOgbW6e7hc
0Hu9R/XABtLA5NdH22JAr6EcUQMY27jQu5THPHnqJWSuJhnhPGZHZ5Kde1WrNMJ1btknjp2M
8B3aa5yGBKKQteqdjM/7OUOo8BgtnvcZECycL+HQsf/XWcTNQDL514HbURzyQVKBQbGDuMgJ
/pkiR4BPnMuu4CjVHKxwR7Alq6E4Qhdr+mpujV95+PYpAzCkbkbUhV2qQJk4dtseAX3lDKUC
AwEAAaOCAacwggGjMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0
LmNvbS9jZ2ktYmluL0NSTC8yMDA2L2NkcC5jcmwwHQYDVR0OBBYEFPZSIhcVEwgDWb8YlZ9I
tLnp/vhmMIGSBgNVHSAEgYowgYcwSQYKKoZIhvhjAQIBBTA7MDkGCCsGAQUFBwIBFi1odHRw
Oi8vd3d3LnB1YmxpYy10cnVzdC5jb20vQ1BTL09tbmlSb290Lmh0bWwwOgYMKwYBBAGyMQEC
AQMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1AwWAYDVR0j
BFEwT6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoG
A1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwKwYDVR0QBCQwIoAPMjAwMjA4MjcxOTA3
MzFagQ8yMDA1MDIyMzIzNTkwMFowDgYDVR0PAQH/BAQDAgHmMA8GA1UdEwQIMAYBAf8CAQAw
DQYJKoZIhvcNAQEFBQADgYEAtqewenGL4LqzgR42MnqGGNbxq005CHEGWmegSwHlMEBtibWe
Faqxx/QKxlwO6TfeqJfH3M7Ncft0AgfcXxUnCFMHdtS5BunCd1AeysmwwkaBgACtRKpc1iDZ
VTK+Vpbx6r2g47wNgDrqzPuaV+14pTY9VurR53TKNMPPsVHp4AwwggV4MIIEYKADAgECAhBY
CXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UE
ChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYD
VQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5l
dC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQD
EyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTAeFw0wNDExMjMwMDAwMDBa
Fw0wNTExMjMyMzU5NTlaMIHeMTUwMwYDVQQLEyxDb21vZG8gVHJ1c3QgTmV0d29yayAtIFBF
UlNPTkEgTk9UIFZBTElEQVRFRDFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2Yg
dXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAw
MyBDb21vZG8gTGltaXRlZDEWMBQGA1UEAxMNSmVyb21lIEFUSElBUzEkMCIGCSqGSIb3DQEJ
ARYVamVyb21lLmF0aGlhc0BmcmVlLmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe
FVK5Ypmig424i0AwOHJUnSyJA52O+tSBoX0eNdQGxRxz/uA7wbzoEwWbUiiWVvQW2mrPcGEC
lgf+2zzD+CR0maX2QqIQvbuQxITOFdw8H6fKFq1axb8SZw7SOsXz2kyd2yp9SDXq6VlpQalg
lfwUG2xj8lDtAorSATFBXeF21QIDAQABo4IBtDCCAbAwHwYDVR0jBBgwFoAU9lIiFxUTCANZ
vxiVn0i0uen++GYwHQYDVR0OBBYEFOKQ5NfIrYBdMgWLKQXwMkJc/WLHMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDigNoY0aHR0cDovL2NybC5j
b21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAtoCugKYEnQ2xhc3Mz
U2VjdXJpdHlTZXJ2aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIBAQQEAwIFIDAg
BgNVHREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDQYJKoZIhvcNAQEFBQADggEBAH+w
UOqihz0rhfJQoMag9qrpaMyZ/iW+vuOUafk+9AfmVnAIPPFaftQhcppuQMvDdCZwf7+X9J4P
W3KLjGq05ZfJubwSX2u44h706HMEl8g5GXVF0ZcTiH+MczW/btfFHuLNwSJPs+cij21ljmOX
AL/a4v4dSEW5yKxRsQ8yOP6X4/+73LXhKUWVDN7/uuSyIXTYHZwb/Uy3Re7w7UlSc9kb2QPU
eEPDmXH6dO75ekBkjdrIz0pAaO54hTGQTSbVKaUuvQIPb3c4UqnPMbhcchMLbeo7S1OjDwPF
pxPpNvLSyidMdwW6nthV3QY72EpKcrszEIaiUP9kJynKGZkU/TQwggV4MIIEYKADAgECAhBY
CXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UE
ChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYD
VQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5l
dC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQD
EyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTAeFw0wNDExMjMwMDAwMDBa
Fw0wNTExMjMyMzU5NTlaMIHeMTUwMwYDVQQLEyxDb21vZG8gVHJ1c3QgTmV0d29yayAtIFBF
UlNPTkEgTk9UIFZBTElEQVRFRDFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2Yg
dXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAw
MyBDb21vZG8gTGltaXRlZDEWMBQGA1UEAxMNSmVyb21lIEFUSElBUzEkMCIGCSqGSIb3DQEJ
ARYVamVyb21lLmF0aGlhc0BmcmVlLmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe
FVK5Ypmig424i0AwOHJUnSyJA52O+tSBoX0eNdQGxRxz/uA7wbzoEwWbUiiWVvQW2mrPcGEC
lgf+2zzD+CR0maX2QqIQvbuQxITOFdw8H6fKFq1axb8SZw7SOsXz2kyd2yp9SDXq6VlpQalg
lfwUG2xj8lDtAorSATFBXeF21QIDAQABo4IBtDCCAbAwHwYDVR0jBBgwFoAU9lIiFxUTCANZ
vxiVn0i0uen++GYwHQYDVR0OBBYEFOKQ5NfIrYBdMgWLKQXwMkJc/WLHMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDigNoY0aHR0cDovL2NybC5j
b21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAtoCugKYEnQ2xhc3Mz
U2VjdXJpdHlTZXJ2aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIBAQQEAwIFIDAg
BgNVHREEGTAXgRVqZXJvbWUuYXRoaWFzQGZyZWUuZnIwDQYJKoZIhvcNAQEFBQADggEBAH+w
UOqihz0rhfJQoMag9qrpaMyZ/iW+vuOUafk+9AfmVnAIPPFaftQhcppuQMvDdCZwf7+X9J4P
W3KLjGq05ZfJubwSX2u44h706HMEl8g5GXVF0ZcTiH+MczW/btfFHuLNwSJPs+cij21ljmOX
AL/a4v4dSEW5yKxRsQ8yOP6X4/+73LXhKUWVDN7/uuSyIXTYHZwb/Uy3Re7w7UlSc9kb2QPU
eEPDmXH6dO75ekBkjdrIz0pAaO54hTGQTSbVKaUuvQIPb3c4UqnPMbhcchMLbeo7S1OjDwPF
pxPpNvLSyidMdwW6nthV3QY72EpKcrszEIaiUP9kJynKGZkU/TQxggRbMIIEVwIBATCB8TCB
3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQLExRDb21v
ZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2YgdXNl
OiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAwMiBD
b21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2RvIENsYXNzIDMgU2VjdXJpdHkgU2Vydmlj
ZXMgQ0ECEFgJd+FEddJHsX2wJZgy2CcwCQYFKw4DAhoFAKCCAr8wGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwOTA2MTEyMDM3WjAjBgkqhkiG9w0BCQQx
FgQUhrip6Eyf2lVW3S63kErPGroUH5UwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
ggECBgkrBgEEAYI3EAQxgfQwgfEwgdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8g
TGltaXRlZDEdMBsGA1UECxMUQ29tb2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1z
IGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRv
cnkxHzAdBgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBD
bGFzcyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBAhBYCXfhRHXSR7F9sCWYMtgnMIIBBAYLKoZI
hvcNAQkQAgsxgfSggfEwgdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRl
ZDEdMBsGA1UECxMUQ29tb2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBD
b25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAd
BgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFzcyAz
IFNlY3VyaXR5IFNlcnZpY2VzIENBAhBYCXfhRHXSR7F9sCWYMtgnMA0GCSqGSIb3DQEBAQUA
BIGAsF3+0K5MNJdB58OhSOP06Nu+LYvAGwWwehpzdbNcw3KLMW74ygsWneSJCmQQdcO6cc7D
wF7ac7xK8BAQwftDe4Dn+NlpzIIx8vrsB4dNb+q1ouQrKAoArKpBoTSrL/Ttvo3R6tGCU8Kk
SqXDMqtDM8oi2W9O1IaoacMOvvZDO7EAAAAAAAA=
--------------ms000602050201010008060701--
