{"id":108307,"date":"2023-06-07T07:00:00","date_gmt":"2023-06-07T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=108307"},"modified":"2023-06-07T06:56:42","modified_gmt":"2023-06-07T13:56:42","slug":"20230607-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20230607-00\/?p=108307","title":{"rendered":"Pulling sleight of hand tricks in a security vulnerability report, episode 2"},"content":{"rendered":"

A security vulnerability report came in that claimed to have “found a way for privileged accounts to force the system to crash, and for non-privileged accounts to force the termination of any process.” They claim that they were exploiting a vulnerability in Message\u00adBox<\/code>.<\/p>\n

They included a proof of concept, which went something like this.<\/p>\n

using System;\r\nusing System.Diagnostics;\r\nusing System.Runtime.InteropServices;\r\n\r\npublic class Program\r\n{\r\n  [DllImport(\"kernel32.dll\")]\r\n  static extern IntPtr OpenProcess(int access, bool inherit, int id);\r\n\r\n  [DllImport(\"kernel32.dll\")]\r\n  static extern IntPtr VirtualAllocEx(IntPtr process, IntPtr address,\r\n   int size, uint type, uint protection);\r\n\r\n  [DllImport(\"kernel32.dll\")]\r\n  static extern bool WriteProcessMemory(IntPtr process, IntPtr address,\r\n    IntPtr source, int size, out uint written);\r\n\r\n  [DllImport(\"kernel32.dll\")]\r\n  static extern IntPtr CreateRemoteThread(IntPtr process,\r\n   IntPtr attributes, uint stackSize, IntPtr address,\r\n   IntPtr parameter, uint flags, out uint threadId);\r\n\r\n  [DllImport(\"user32.dll\")]\r\n  static extern int MessageBox(IntPtr window, string text, string caption, uint type);\r\n\r\n  [DllImport(\"user32.dll\")]\r\n  public static extern int EnableMenuItem(IntPtr menu, uint id, uint enable);\r\n\r\n  public static void Main(string[] args)\r\n  {\r\n    Func<IntPtr, uint, uint, int> MessageBox = EnableMenuItem;\r\n    GCHandle gcHandle = GCHandle.Alloc(MessageBox);\r\n    IntPtr inject = GCHandle.ToIntPtr(gcHandle);\r\n    int size = MessageBox.ToString().Length;\r\n\r\n    int id = Process.GetProcessesByName(args[0])[0].Id;\r\n\r\n    IntPtr process = OpenProcess(0x1F0FFF, false, id);\r\n\r\n    IntPtr memory = VirtualAllocEx(process, IntPtr.Zero, size, 0x00001000, 0x40);\r\n    uint written;\r\n    WriteProcessMemory(process, memory, inject, size, out written);\r\n\r\n    uint threadId;\r\n    CreateRemoteThread(process, IntPtr.Zero, 0, memory, IntPtr.Zero, 0, out threadId);\r\n\r\n  }\r\n}\r\n<\/pre>\n
The instructions for running the proof of concept were very simple:<\/p>\n
\n
As administrator:
\nattack.exe svchost<\/p>\n
As normal user:
\nattack.exe notepad (or any other process name)<\/p>\n<\/blockquote>\n
As is customary of low-quality reports, the finder provides no explanation of what they’re attacking or how the attack works. They just attach a program and say “Good luck figuring out what I did!”\u00b9<\/p>\n
I mean, I like puzzles. But this is not the place for puzzles.<\/p>\n
Here’s what’s going on.<\/p>\n
First, the code gets the native address and size of the Message\u00adBox<\/code> function.<\/p>\n
Next, they take the program name from the command line and find the process with that ID. (If there’s more than one, then they take the first one.)<\/p>\n
Once they have the process ID, they use Open\u00adProcess<\/code> to get a handle.<\/p>\n
With the process handle, they use Virtual\u00adAlloc\u00adEx<\/code> to allocate (MEM_COMMIT<\/code> = 0x00001000<\/code>) read-write-execute data (PAGE_EXECUTE_READ\u00adWRITE<\/code> = 0x40<\/code>) in the victim process, and then copy the Message\u00adBox<\/code> function into the process.<\/p>\n
Finally, they inject a thread to execute the injected code.<\/p>\n
Is this a security vulnerability?<\/p>\n
Notice the first parameter to Open\u00adProcess<\/code>: It is 0x1F0FFF<\/code> = PROCESS_ALL_ACCESS<\/code>.\u00b2 If you can get “all access” rights to a process, then you pwn the process, and it’s therefore not suprising that you can inject code into it to make it crash.<\/p>\n
In fact, if your goal is to crash the process, you don’t need to do all this nonsense. PROCESS_ALL_ACCESS<\/code> includes PROCESS_TERMINATE<\/code>, so this entire program could be simplified to<\/p>\n
public class Program\r\n{\r\n  public static void Main(string[] args)\r\n  {\r\n    System.Diagnostics.Process.\r\n        GetProcessesByName(args[0])[0].Kill();\r\n  }\r\n}\r\n<\/pre>\n
or a C# 9 one-liner,<\/p>\n
System.Diagnostics.Process.GetProcessesByName(args[0])[0].Kill();\r\n<\/pre>\n
or avoid having to write any code at all: Run Task Manager, find the svchost.exe<\/code> or notepad.exe<\/code> you want to terminate, and click “End Task”.<\/p>\n
Oh, and did you see the sleight of hand?<\/p>\n
The report first says that an administrator can terminate any process, and they picked svchost<\/code>. But then when they said that a non-administrator can also terminate any process, and somehow they switch from svchost<\/code> to a lowly notepad<\/code>.<\/p>\n
That’s because when they tried having a non-administrator attack svchost<\/code>, it didn’t work.<\/p>\n
Somehow conveniently forgot to mention that.<\/p>\n
Remember, you’re a researcher, not a student turning in a homework assignment. If you find evidence that runs counter to your hypothesis, you need to take it into consideration, not hide it and hope that nobody notices.<\/p>\n
Bonus chatter<\/b>: There are plenty of other wrong things about this vulnerability report. I’ll leave them as Easter Eggs for you to discover.<\/p>\n
\u00b9 I suspect that one of the reasons they don’t explain what their code does, or how the code accomplishes what it claims to do, is that they don’t know themselves<\/i>. They just wrote some code, gosh it acts funny, must be a security vulnerability, send it to Microsoft!<\/p>\n
\u00b2 Specifically, it is the value of PROCESS_ALL_ACCESS<\/code> from Windows XP. The value was upgraded in Windows Vista to 0x001FFFFF<\/code> to include the “limited information” access bits, but this finder is apparently working from a very old worksheet.<\/p>\n","protected":false},"excerpt":{"rendered":"
I see what you did there.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-108307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
I see what you did there.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=108307"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=108307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=108307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=108307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}