{"id":102842,"date":"2019-09-06T07:00:00","date_gmt":"2019-09-06T14:00:00","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/oldnewthing\/?p=102842"},"modified":"2019-09-05T17:42:36","modified_gmt":"2019-09-06T00:42:36","slug":"20190906-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20190906-00\/?p=102842","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Guessing window procedure magic cookies"},"content":{"rendered":"<p>A security vulnerability report arrived that said that if you passed a carefully-malformed value to the <code>Call\u00adWindow\u00adProc<\/code> function, then it would call an unexpected function.<\/p>\n<p>Recall that when you call <code>Get\u00adWindow\u00adLong\u00adPtr(GWLP_<\/code><code>WNDPROC)<\/code> and the window procedure&#8217;s character set is different from the character set of th <code>Get\u00adWindow\u00adLong\u00adPtr<\/code>, then <a href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20031201-00\/?p=41673\"> the window manager returns a magic cookie<\/a> as the pretend window procedure. This magic cookie is meaningful only to the <code>Call\u00adWindow\u00adProc<\/code> function, and it indicates that the message parameters need to be changed from one character set to another before calling the <i>real<\/i> window procedure.<\/p>\n<p>The finder wrote, &#8220;I haven&#8217;t looked into it further to see any other possible security implications.&#8221;<\/p>\n<p>What are the security implications of letting people guess the magic cookies?<\/p>\n<p>Nothing, really. Because you&#8217;re already on the other side of the airtight hatchway.<\/p>\n<p>Which made me kind of confused by that statement about &#8220;other possible security implications,&#8221; since I couldn&#8217;t even see the first one.<\/p>\n<p>Remember, when looking at a potential security issue, you have to identify who the attacker is, who the victim is, and what the attacker has gained.<\/p>\n<p>One possible attacker is &#8220;the process that passed an artificial magic cookie to the <code>Call\u00adWindow\u00adProc<\/code> function.&#8221; But all you&#8217;re doing is attacking yourself. Even if the parameter happens to match an actual magic cookie, all you did was call a function in your own process. The <code>WPARAM<\/code> and <code>LPARAM<\/code> parameters might be transformed as part of the character set conversion, but really, what you found was a way to call a function in your own process in an extremely convoluted way.<\/p>\n<p>Another attacker might be &#8220;an external entity which tricked a process into passing a crafted magic cookie to the <code>Call\u00adWindow\u00adProc<\/code> function.&#8221; But that means that the attacker found a way to trick a process into passing <i>a value of its choosing<\/i> to the <code>Call\u00adWindow\u00adProc<\/code> function. If an attacker has that much power over the process, then what&#8217;s it doing wasting its time with magic cookies? It can just trick the app into passing arbitrary function pointers to the <code>Call\u00adWindow\u00adProc<\/code> function! No need to limit yourself to functions that are callable via magic cookies; you can just call any function you like. In other words, the attacker gained nothing they didn&#8217;t already have.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You created a very funny-looking function pointer.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-102842","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>You created a very funny-looking function pointer.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=102842"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102842\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=102842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=102842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=102842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}