HWND_BROADCAST

A few years ago while working on Windows sandboxing, I noticed a few relatively minor problems with Job Objects, Desktops and related facilities. I reported them to Microsoft, who said they don’t consider these supported security boundaries and declined to fix them, but this was no big deal and I dropped the issue. The chrome security guys developed techniques to workaround some of these bugs in Chrome instead.

One of the problems I described was how broadcast messages were exempt from UIPI, and gave an example of how a LI process can broadcast WM_CHAR messages which would be interpreted as input to any open MI/HI command prompts.

The attack was not devastating, because an attacker would have to wait for a user to open a command prompt as MI or HI and then take over, which is a pretty weak attack. However, a few weeks ago I noticed a Microsoft blogger claiming that this exact scenario was impossible.

Unable to resist correcting him, I posted a comment on his blog and tweeted about it.

A few weeks later, Microsoft fixed it in MS13-005. This surprised me, because I didn’t know a really good attack to abuse it, and Microsoft previously told me they were not interested. I figured Microsoft must have discussed it internally, and had realised a better way to exploit it.

A few days later I realised what the attack was.

LI processes can still trigger Global Hotkeys with keybd_event, so if I enumerate all the hotkeys registered in a default installation, maybe one of these will offer the solution. I put a kd breakpoint on NtUserRegisterHotkey and enumerated them all.

I think I figured it out, here is the attack I think Microsoft realised before I did:

• From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
• Use keybd_event to send Win+Shift+[1 … 9]
• Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
• Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
• Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.

Print Share Comment Cite Upload Translate

APA

() » HWND_BROADCAST. Retrieved from https://www.truth.cx/2013/02/04/hwnd_broadcast/.

MLA

" » HWND_BROADCAST." - , https://www.truth.cx/2013/02/04/hwnd_broadcast/

HARVARD

» HWND_BROADCAST., viewed ,

VANCOUVER

- » HWND_BROADCAST. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2013/02/04/hwnd_broadcast/

CHICAGO

" » HWND_BROADCAST." - Accessed . https://www.truth.cx/2013/02/04/hwnd_broadcast/

IEEE

" » HWND_BROADCAST." [Online]. Available: https://www.truth.cx/2013/02/04/hwnd_broadcast/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa A few years ago while working on Windows sandboxing, I noticed a few relatively minor problems with <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684161(v=vs.85).aspx">Job Objects</a>, <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682573(v=vs.85).aspx">Desktops</a> and related facilities. I reported them to Microsoft, who said they don't consider these supported security boundaries and declined to fix them, but this was no big deal and I dropped the issue. The chrome security guys developed techniques to workaround some of these bugs in Chrome instead.<br /><br />One of the problems I described was how broadcast messages were exempt from <a href="https://en.wikipedia.org/wiki/User_Interface_Privilege_Isolation">UIPI</a>, and gave an example of how a LI process can broadcast <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms646276(v=vs.85).aspx">WM_CHAR</a> messages which would be interpreted as input to any open MI/HI command prompts.<br /><br />The attack was not devastating, because an attacker would have to wait for a user to open a command prompt as MI or HI and then take over, which is a pretty weak attack. However, a few weeks ago I noticed a Microsoft blogger <a href="http://blogs.msdn.com/b/oldnewthing/archive/2012/12/13/10377004.aspx">claiming that this exact scenario was impossible</a>.<br /><br />Unable to resist correcting him, I posted a comment on his blog and <a href="https://twitter.com/taviso/status/279304662753103872">tweeted about</a> it.<br /><br />A few weeks later, Microsoft fixed it in <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-005">MS13-005</a>. This surprised me, because I didn't know a really good attack to abuse it, and Microsoft previously told me they were not interested. I figured Microsoft must have discussed it internally, and had realised a better way to exploit it.<br /><br />A few days later I realised what the attack was.<br /><br />LI processes can still trigger <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms646309(v=vs.85).aspx">Global Hotkeys</a> with <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms646304(v=vs.85).aspx">keybd_event</a>, so if I enumerate all the hotkeys registered in a default installation, maybe one of these will offer the solution. I put a kd breakpoint on NtUserRegisterHotkey and enumerated them all.<br /><br />I think I figured it out, here is the attack I think Microsoft realised before I did:<br /><br /><ul><li>From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.</li><li>Use keybd_event to send Win+Shift+[1 ... 9]</li><li>Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.</li><li>Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.</li><li>Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.</li></ul><div>Apparently Packetstorm are <a href="http://packetstormsecurity.com/bugbounty/">offering a reward</a> for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.</div><div><br /><b>Update</b>: <a href="https://twitter.com/0vercl0k">0vercl0k </a>has produced a neat demo. <a href="https://twitter.com/0vercl0k/status/298921576437518337">https://twitter.com/0vercl0k/status/298921576437518337</a></div> First name:

Last name: