124:
89:
that closed off some avenues of exploitation. This was only a partial solution, however, as the fix was limited to services included with
Windows that could be exploited using this technique; the underlying design flaw still existed and could still be used to target other applications or third-party
68:
A few weeks after the publication of this paper, Microsoft responded, noting that: "The paper is correct that this situation exists, and it does correctly describe its effect. ... Where the paper errs is in claiming that this is a flaw in
Windows. In reality, the flaw lies in the specific, highly
55:
Shatter attacks became a topic of intense conversation in the security community in August 2002 after the publication of Chris Paget's paper "Exploiting design flaws in the Win32 API for privilege escalation". The paper, which coined the term "shatter attack", explained the process by which an
69:
privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there."
60:
of higher-privileged application—and some messages can have the address of a callback function in the application's address space as their parameters. If an attacker manages to put their own string into the memory of the higher-privileged application (say by pasting
94:, Microsoft aimed to solve the problem in two ways: First, local users no longer log into Session 0, thus separating the message loop of a logged-in user's session from high-privilege system services, which are loaded into Session 0. Second, a new feature called
104:
to each process. Attempts to send messages to a process with a higher
Integrity Level will fail, even if both processes are owned by the same user. However, not all interactions between processes at different Integrity Levels are prevented by UIPI.
148:" that enables access to dialogs created by interactive services when they appear. The interactive user is shown a dialog box and is offered the ability to switch to Session 0 to access the dialog box. This capability was removed in the
139:
issues, however, as some software was designed with the assumption that the service is running in the same session as the logged-in user. To support this view, Windows Vista and
Windows Server 2008 introduced a
346:
120:
to provide additional protection against shatter attacks. Local user logins were moved from
Session 0 to Session 1, thus separating the user's processes from system services that could be vulnerable.
361:
386:
56:
application could execute arbitrary code in another application. This could occur because
Windows allows unprivileged applications to send messages to
300:
65:
to an edit box) at a known location, they could then send WM_TIMER messages with callback function parameters set to point to the attacker's string.
254:"Microsoft Security Bulletin MS02-071 – Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)"
109:, for example, uses the UIPI feature to limit the extent to which its rendering components interact with the rest of the system.
411:
35:. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be
217:
161:
96:
57:
40:
406:
197:"Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows"
145:
235:
171:
304:
100:(UIPI) was introduced, whereby processes can be further protected against shatter attacks by assigning an
166:
101:
196:
149:
325:
176:
123:
253:
136:
44:
8:
274:
128:
117:
106:
39:
into any other running application or service in the same session, that makes use of a
25:
28:
141:
347:"Why Vista? Changes to services part 2 (Security, Stability, System Integrity)"
78:
36:
400:
113:
91:
32:
221:
82:
387:"Features that are removed or deprecated in Windows 10 Creators Update"
86:
362:"Services isolation in Session 0 of Windows Vista and Longhorn Server"
62:
218:"Exploiting design flaws in the Win32 API for privilege escalation"
21:
326:"Larry Osterman's WebLog – Interacting with Services"
236:"Information About Reported Architectural Flaw in Windows"
31:
to bypass security restrictions between processes in a
301:"PsExec, User Account Control and Security Boundaries"
112:
The way sessions are instantiated was redesigned in
398:
77:In December 2002, Microsoft issued a patch for
127:The Interactive Services Detection service in
359:
215:
122:
295:
293:
20:is a programming technique employed by
399:
328:. Larry Osterman. September 14, 2005
290:
13:
366:Cyril Voisin (aka Voy) on security
360:Cyril Voisin (February 23, 2007).
162:User Interface Privilege Isolation
97:User Interface Privilege Isolation
14:
423:
379:
349:. Ken Schaefer. August 5, 2006.
353:
339:
318:
267:
256:. Microsoft. December 11, 2002
246:
228:
209:
189:
146:Interactive Services Detection
1:
182:
242:. Microsoft. September 2002.
172:Principle of least privilege
72:
7:
389:. Microsoft. 11 March 2024.
216:Chris Paget (August 2002).
167:Mandatory Integrity Control
155:
50:
10:
428:
412:Computer security exploits
275:"Shatter-proofing Windows"
150:Windows 10 Creators Update
43:. This could result in a
177:Capability-based security
407:Windows administration
137:backward compatibility
132:
126:
45:privilege escalation
129:Windows Server 2008
118:Windows Server 2008
107:Internet Explorer 7
133:
29:operating systems
26:Microsoft Windows
419:
391:
390:
383:
377:
376:
374:
373:
357:
351:
350:
343:
337:
336:
334:
333:
322:
316:
315:
313:
312:
303:. Archived from
297:
288:
287:
285:
284:
279:
271:
265:
264:
262:
261:
250:
244:
243:
232:
226:
225:
220:. Archived from
213:
207:
206:
204:
203:
193:
16:In computing, a
427:
426:
422:
421:
420:
418:
417:
416:
397:
396:
395:
394:
385:
384:
380:
371:
369:
358:
354:
345:
344:
340:
331:
329:
324:
323:
319:
310:
308:
299:
298:
291:
282:
280:
277:
273:
272:
268:
259:
257:
252:
251:
247:
234:
233:
229:
214:
210:
201:
199:
195:
194:
190:
185:
158:
142:Windows service
102:Integrity Level
90:services. With
75:
53:
12:
11:
5:
425:
415:
414:
409:
393:
392:
378:
352:
338:
317:
289:
266:
245:
227:
224:on 2006-09-04.
208:
187:
186:
184:
181:
180:
179:
174:
169:
164:
157:
154:
79:Windows NT 4.0
74:
71:
52:
49:
18:shatter attack
9:
6:
4:
3:
2:
424:
413:
410:
408:
405:
404:
402:
388:
382:
367:
363:
356:
348:
342:
327:
321:
307:on 2010-04-15
306:
302:
296:
294:
276:
270:
255:
249:
241:
237:
231:
223:
219:
212:
198:
192:
188:
178:
175:
173:
170:
168:
165:
163:
160:
159:
153:
151:
147:
143:
138:
135:This creates
130:
125:
121:
119:
115:
114:Windows Vista
110:
108:
103:
99:
98:
93:
92:Windows Vista
88:
84:
80:
70:
66:
64:
59:
58:message loops
48:
46:
42:
38:
34:
30:
27:
23:
19:
381:
370:. Retrieved
368:. MSDN Blogs
365:
355:
341:
330:. Retrieved
320:
309:. Retrieved
305:the original
281:. Retrieved
269:
258:. Retrieved
248:
239:
230:
222:the original
211:
200:. Retrieved
191:
134:
111:
95:
83:Windows 2000
76:
67:
54:
41:message loop
17:
15:
401:Categories
372:2008-04-23
332:2007-04-03
311:2007-10-08
283:2011-12-29
260:2006-07-18
202:2011-12-29
183:References
87:Windows XP
73:Solutions
63:shellcode
47:exploit.
156:See also
144:called "
51:Overview
37:injected
240:TechNet
33:session
22:hackers
85:, and
278:(PDF)
116:and
24:on
403::
364:.
292:^
238:.
152:.
81:,
375:.
335:.
314:.
286:.
263:.
205:.
131:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.