A Shatter Attack: How it works

By Matthew Broersma

A security expert has sparked fresh controversy regarding the security of Microsoft's Windows operating system. Chris Paget, a freelance security researcher, has published a whitepaper demonstrating what he calls a 'Shatter Attack', which allows a user to elevate his or her privileges and gain control of a system. Paget's 'Shatter Attack' relies on a mechanism called messaging which Windows uses for controlling applications, such as registering when a key has been pressed, for example. Windows' messaging, Paget argues, is flawed because an application can use messages to control any window on the same desktop, and these actions are not authenticated. Messaging-based security risks have been discussed for some time, but Paget believes this is the first time such an attack has been demonstrated. In Paget's demonstration, the attacker uses Network Associates VirusScan v4.5.1 running on Windows 2000 Professional. Since the application needs high access privileges, it runs at a security setting called LocalSystem. The attacker, logged in as guest, is able to fool the application into running a small piece of code with the higher LocalSystem privileges, and this code in turn elevates the user's privileges. Escalating user privileges requires the presence of an application that itself uses high privileges, such as a virus scanner or personal firewall. The application must include a window that both uses those high privileges and interacts directly with the user, called running as an "interactive service", Paget noted. It is impossible to estimate how common such applications are without investigating them individually, but "potentially any program that does something that requires high privileges on a system could be running as an interactive service", he said. However, messaging-based attacks may not be limited to applications running as interactive services. For example, if a personal firewall allowed only Internet Explorer access to a company's network, the attacker could circumvent the firewall using IE in a way that would give him or her command line access to the network, Paget said. "To be honest, every application that runs on Windows is likely to be vulnerable in some way or another," he said. "It's not just privilege-escalation attacks you can do through this." In a statement issued to ZDNet UK in response to the whitepaper, Microsoft argued that these messaging exploits do not "meet Microsoft's definition of a security vulnerability". "The proposed attack scenario assumes that the attacker has already been allowed to cross a security boundary or has access to a program using interactive services to LocalSystem," the statement said. Microsoft argued that the situation does not count as a threat because the attacker required "unrestricted physical access to your computer" to carry out the exploit. Paget warned that it is unwise to downplay the significance of such exploits. He noted that the scenario only requires system access that is typical on corporate networks. The attack can also be carried out remotely from a client with access to Terminal Services, a way of providing a number of users such as telecommuters or call-centre workers access to certain functions on a centralised system. "You could take over the entire terminal server," he said. Paget's whitepaper also touched off a debate on the Bugtraq mailing list for security professionals, with some arguing that the responsibility for such flaws lies with developers, and others agreeing with Paget that Microsoft has created an API that makes it easy to create vulnerable software. One researcher said that regardless of who is to blame, exploits involving Windows messages could turn out to be a real problem. "Though there may be a way to prevent these vulnerabilities, the same could be said for, say, a buffer overflow, and yet they're found all over the place," he wrote. Matthew Broersma writes for ZDNet UK