Unprotected Windows Messaging Channel ('Shatter')
Draft Variant
Structure: Simple
Description
The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume IdentityBypass Protection Mechanism
Potential Mitigations 1
Phase: Architecture and Design
Always verify and authenticate the source of the message.
Observed Examples 6
CVE-2002-0971Bypass GUI and access restricted dialog box.
CVE-2002-1230Gain privileges via Windows message.
CVE-2003-0350A control allows a change to a pointer for a callback function using Windows message.
CVE-2003-0908Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.
CVE-2004-0213Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
CVE-2004-0207User can call certain API functions to modify certain properties of privileged programs.
References 3
Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows
Paget
08-2002
ID: REF-402
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Affected Resources
- System Process
Related Weaknesses
ChildOf:
Trust of System Event Data (CWE-360)
Taxonomy Mapping
- PLOVER
- Software Fault Patterns
Notes
RelationshipOverlaps privilege errors and UI errors.
Research Gap
Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such.
Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.