{"id":109172,"date":"2023-12-20T07:00:44","date_gmt":"2023-12-20T15:00:44","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=109172"},"modified":"2023-12-20T07:18:33","modified_gmt":"2023-12-20T15:18:33","slug":"20231220-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20231220-44\/?p=109172","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Spoofing another program"},"content":{"rendered":"<p>A security vulnerability report arrived that went roughly like this:<\/p>\n<blockquote class=\"q\">\n<p>When a desktop application <a href=\"https:\/\/learn.microsoft.com\/windows\/apps\/design\/shell\/tiles-and-notifications\/send-local-toast-desktop-cpp-wrl\"> registers to produce toast notifications<\/a>, it provides its Application User Model ID (AUMID). An attacker can spoof any app by substituting the victim app&#8217;s AUMID when registering. If the victim generates a toast notification, the desktop application will steal the click and can perform whatever action it desires. In this proof of concept, we launch Notepad.<\/p>\n<\/blockquote>\n<p>That sounds bad when you put it that way: One app can steal clicks intended for another app.<\/p>\n<p>But wait, the attacker is a desktop application that is already running code. If you can run code, then don&#8217;t be surprised that you can run code: The attacker doesn&#8217;t have to wait for the victim to generate a toast notification. Whatever evil things they want to do, they can just do them right away! No need to wait.<\/p>\n<p>If your concern is that they can prevent the victim program from receiving clicks, well, desktop applications can already do that. Install a low-level mouse hook, and whenever you see a mouse click, see if it&#8217;s on a toast from your victim program. If so, then prevent the click from being processed, and do your own evil thing instead.<\/p>\n<p>Even without the benefit of low-level mouse hooks, desktop applications run at medium integrity,\u00b9 so they have the ability to attack any of the user&#8217;s programs that are running at low integrity (such as those running in the restricted UWP environment), as well as any of the user&#8217;s programs that are running at medium integrity (traditional Win32 programs running non-elevated). The attacker can inject code into the victim process and patch the click handler so it does something evil instead of whatever the program intended.<\/p>\n<p>Heck, they could inject code into Explorer and just patch the entire toast notification infrastructure! Generate fake notifications, suppress valid ones, alter the text in the notifications, go nuts.<\/p>\n<p>Squatting on another program&#8217;s AUMID when registering for toast notifications doesn&#8217;t give desktop applications any powers beyond what they already had. Desktop applications run at medium integrity, which already gives them a great deal of power. By running a desktop app, you are trusting that they don&#8217;t abuse that power.<\/p>\n<p>\u00b9 And you can even choose to run them at high integrity if you run them elevated.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You already had the power to do it yourself.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-109172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>You already had the power to do it yourself.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=109172"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109172\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=109172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=109172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=109172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}