[41469] in bugtraq
RE: Microsoft Windows CreateRemoteThread Exploit
daemon@ATHENA.MIT.EDU (Michael Wojcik)
Fri Dec 2 17:49:47 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Fri, 2 Dec 2005 06:41:18 -0800
Message-ID: <11352F9641010A418AD5057945A3A6591F1251@MTV-EXCHANGE.microfocus.com>
From: "Michael Wojcik" <Michael.Wojcik@microfocus.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> From: q7x@ashiyane.com [mailto:q7x@ashiyane.com]
> Sent: Thursday, 01 December, 2005 05:02
>
> Description:
> when the one process open with OpenProcess function and
> use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash.
> an example hackers can use this method for kill firewalls
> and antiviruses
If an attacker can successfully call OpenProcess() on a process with
arbitrary access, then they can just request PROCESS_TERMINATE access
and terminate the process with TerminateProcsss(). Other attacks are
obviously possible with other forms of access.
I don't see how this particular feature is a vulnerability unless an
attacker can somehow perform a successful OpenProcess() but only with
PROCESS_CREATE_THREAD access. And even then, why couldn't the attacker
just do:
CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit,
NULL, 0, NULL);
or indeed create a remote thread with any other useful function the
process has mapped?
This "exploit" boils down to "if I can make a process call address 0, I
can cause an exception in it". Well, sure. If you can make a process
execute arbitrary code, you can do all sorts of things.
An attacker who can successfully open a security-critical process has
already won.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
