[26574] in bugtraq
Re: White paper: Exploiting the Win32 API.
daemon@ATHENA.MIT.EDU (Roland Kaufmann)
Wed Aug 7 12:04:39 2002
Date: 7 Aug 2002 13:49:23 -0000
Message-ID: <20020807134923.15487.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Roland Kaufmann <roland@ii.uib.no>
To: bugtraq@securityfocus.com
In-Reply-To: <katvkuk81lk8srfaf2knq46of6k6jses1k@4ax.com>
> 3) Microsoft cannot fix these vulnerabilities. These are inherent
> flaws in the design and operation of the Win32 API. This is not a
> bug that can be fixed with a patch.
I would like to rebut this statement. The vulternability seems to
depend on the usage of the WM_TIMER message to execute arbitrary
data that has been put in the target process' address space.
The following four patches would seem to remove this capability:
(a) The memory page where the edit box store the message should not
be marked as executable but only as read/write. Even if the application
copies this memory, it should still be to a page marked as not
executable.
(b) WM_TIMER messages are posted to the message queue and can be
filtered by the application, as stated in the documentation for
this message. The application can have a list over timers and check
this for validity. (Moral of the story: Don't trust window message
parameters any more than user input).
(c) lParam may only be a value that has previously been registered
by SetTimer. GetMessage/PeekMessage or SendMessage/PostMessage can
be modified to verify this. (There has to be a list of timers for
the application somewhere)
(d) SendMessage/PostMessage could be modified to not dispatch or
GetMessage/PeekMessage could be modified to drop WM_TIMER messages
(or any messages that takes addresses, like EM_GETLINE) to windows
belonging to processes other than itself.
