Presentation of paper titled
Security Vulnerabilities in Event-Driven Systems
at the IFIP/SEC2002 conference in Egypt.
Announcement of this page
at the vuln-dev mailling at SecurityFocus.
Presentation of paper titled A New Avenue of Attack: vent-Driven System Vulnerabilities
at the ECIW conference in London.
An e-mail sent to Bugtraq by Chris Paget about his tutorial on event-driven system vulnerabilities titled White paper: Exploiting the Win32 API.
. From this posting it was sent to SlashDot, TheRegister, KuroShin and so on.
to the NT-Bugtraq mailling list by Andrey Kolishak mentioning the WM_TIMER issue. It mentions a reference to an MSJ article that I did not know about.
The PDF versions of the papers have been updated. The changes were mostly cosmetic (now hyperref is used). They are available at the same locations below.
From a bugtraq posting
, there has been an advisory from @stake (DilDog)
in Sep2000 of a vulnerability that leads to privilege elevetion through event exploitation.
candidate of a bug involving event manipulation in Windows has been opened as CAN-2002-1230
. It was filed on the 21Oct2002 to cover the exploit application GetAd.c
Microsoft released a patch to address the vulnerability of the WM_TIMER message that accepts a callback function address as part of the payload. The bug is filed as MS02-071
. This patch does not appear to address the root of the problem, it only relieves some symptoms. Sadly, no references have been made in the advisory about prior work on this type of vulnerability.
This page describes security vulnerabilities in event-driven systems. Common event-driven systems are the Microsoft Windows* operating systems and graphical environments, the X Window System and the Java Virtual Machine. Among those, Microsoft Windows is analysed here. For an academic analysis, read the first paragraph of the Introduction below which has links to two papers. For a less academic overview, continue reading this page.
With reference to the papers entitled "
Security Vulnerabilities in Event-Driven Systems
" and "A New Avenue of Attack: vent-Driven System Vulnerabilities
", we provide demonstrations
to the practical examples described in the papers.
The demonstrations were carried out on Windows XP Professional and Windows
2000. The screenshots are from Windows XP. Some of the screenshots were
taken with the "traditional" Windows XP theme, thus it looks like Windows
Firstly, in an event-driven system, an application receives events from
input devices (such as mouse and keyboard) as well as from other applications.
For example, the events that Notepad receives when someone types something
it it are shown here:
You can see the "c" letter being pressed.
Denial of service
For this example to work, one would normally need a mouse with three buttons.
The Microsoft IntelliMouse with a wheel is also sufficient as it works like
a third button as well. Additionaly, one should install the Logitech MouseWare
mouse utilities (installed by default in many mouse/laptop configurations).
These utilities are available for free from the
Logitech WWW site
After installation, one needs to enable the middle button to act as a "Double
click" button. That is, when one clicks the middle button, a double click
event is sent to the application. If someone has a two mouse button, s/he
can temporarily set the double-click functionality to the right button (if
s/he is a right-handed PC user).
The dialog that sets the middle button to act as double click looks like
Subsequently, the user should run Notepad.exe and type dummy text so that
both the verical and horizontal scrollbars are enabled.
We focus on the horizontal scrollbar. The user should click on the left
arrow button of the scrollbar and hold the mouse button. At the same time,
the mouse pointer moves on the middle of the horizontal scrollbar, while the
mouse button is still pressed. Finally, the middle button (associated with
double-click) is pressed.
The scrollbar gets confused and looks like the following.
And the following. (release mouse buttons and try to move
the scrollbar as normally)
The author discovered the above feature in 1993 while he was an owner of
a Logitech mouse, running Windows 3.1 and an old version of the MouseWare
utilities. Subsequently, he found the same behaviour on Windows 95, Windows
98, Windows 2000 and Windows XP.
Modification of running application
When a user installs an application, s/he has to accept a use license of
the software. This is typically called the End-User License Agreement (EULA).
If the user chooses not to accept the license, the application does not
install. We show how to change the visual content of the license.
Such a EULA window looks like this
Using a special application that can send custom events to specific windows,
we send the appropriate event to convert the text box of the license to
a editable text box. The result looks like this.
The white colors signifies that changes can take place. One can change
to the following.
Finally, the text box is changed again to read-only in order to look more
similar with the original.
Note: This does not seem to invalidate the license of the application.
What we showed here is the same thing as unwrapping the box of shrink-wrapped
software in a dark room and carefully disposing the license material. Thus,
you will probably not bypass the license with the above procedure, at least
in most Western countries. Let's add that the changes take place in the running
application only. Running the application again will obviously show the initial
Unauthorised access to objects
If you want to capture the password from an application like the following
or the following
and the only method is by sending events, then events can help you. Let
me say here that it is easier to capture the events sent to the events sent
to an application by using keyboard hooks. However, if the attacker is running
under a different user than the victim, you cannot place a hook (Windows
2000 and Windows XP).
One could send the appropriate events to copy the password field to the
clipboard and paste it to the attacker application. Clipboards are shared.
However, this cannot be done because the textbox of the password is marked
as one for passwords. The copy attempt does not work.
But not all is lost. One can send the appropriate event to convert the
password textbox to a textbox that has the password character set to ''.
This makes the textbox behave as a normal textbox. Then, the copy procedure
can take place.
Programmatically, one can unset the password character, copy and paste
the password and set it back again without the end-user realising.
To automate this, we wrote a client application. The result for both applications
shown above looks like
The source code is available here
while you can also download at
your own risk statically linked with regards to the MFC libraries
dynamically linked with regards to the MFC libraries
The way this program works is a bit peculiar. It has to be the active application while you move the mouse pointer over other Windows. This way it will be able to extract information about other windows in the least intrusive way. Once the exact victim has been selected, use the keyboard shortcuts in order to choose the action, like "Melt", "Freeze" and so on. MySpy knows who is the victim and the action you want to carry out.
Using functionality from Windows 2000 or Windows XP, you can run MySpy as a normal user (using the RunAs functionality) and attack applications that belong to an administrative account.
Execution of custom/malicious code
Specific event types carry payload such as addresses to procedures to be
executed. Thus, an attacker only needs to know a specific address in the
address space of the victim application in order to exploit. To make matters
worse, if the attacker can put custom code in the address space of the victim,
s/he can execute it.
One way this can be done is with the WM_TIMER event. This events accepts
as an optional argument the address to code to be executed.
Sending the WM_TIMER event with a random address produced in our case the
and by delving into more details
Author: Symeon (simos) Xenitellis, available at: simos74 at gmx dot net
Affiliation: Information Security Group, Royal Holloway, University
of London, TW20 0EX