Shatter after ImpersonateLoggedOnUser()?: RE: "shatter"
Fred.Reimer "at" Eclipsys.com
Wed Aug 21 17:05:05 2002
I think everyone is missing the point. It doesn't matter if VNC is the
application that one uses the shatter attack on or not. The point is that
VNC, or any remote access program as pointed out, effectively gives the same
ability of being physically present at the server. You can cut-and-paste
ploit code over the VNC session and use the shatter attack on ANOTHER
program, such as a virus detection program as documented in the shatter
Yes, it is important to fix any possibility of using the shatter attack on
VNC itself, but the real danger is using VNC as a method to use the shatter
attack on another program.
I'd suggest that another effort be started to provide strong authentication
for VNC. We have RSA Security ACE/Servers and I'm hoping to one day use the
included API to write SecurID authentication into VNC. It would certainly
give it a benefit over other access methods...
From: W. Brian Blevins [mailto:brian.blevins "at" tridia.com]
Sent: Wednesday, August 21, 2002 9:13 AM
To: vnc-list "at" realvnc.com; Tridia Developer List
Subject: Shatter after ImpersonateLoggedOnUser()?: RE: "shatter"
When properly configured, the WinVNC.exe process is notified via
MENU_SERVICEHELPER_MSG that a new user has logged in. This causes the
thread processing the windows messages for the trayicon and hidden
window to call vncService:ProcessUserHelperMessage(). Eventually,
this window message processing thread impersonates the user via
What I do not understand is how the same thread that is calling
ImpersonateLoggedOnUser() can be attacked through the shatter methods
to obtain LocalSystem access. If this is what is really happening,
then there would appear to be other problems in the Win32 security API
as well. Does anyone know how or why that thread would still be
vulnerable to a shatter attack after calling ImpersonateLoggedOnUser()?
> Message: 12
> From: "EXT-Bellers, Chris" <chris.bellers "at" boeing.com>
> To: "Scott C. Best" <sbest "at" best.com>, vnc-list "at" realvnc.com
> Cc: "EXT-Bellers, Chris" <chris.bellers "at" boeing.com>
> Subject: RE: "shatter" vulnerability
> Date: Thu, 15 Aug 2002 18:29:27 -0500
> Reply-To: vnc-list "at" realvnc.com
> Scott et al:
> Well, the problem with the shatter attack is that any interactive service
> running as LocalSystem that have user-interactive windows are problematic.
> MS's official policy on the issue is "don't make any interactive
> or make them interact with the user within a different security context,
> like the window you get when you hit Ctl-Alt-Delete on NT/2K/XP
> The scenario that I foresee is this:
> 1 Computer has VNC installed.
> 2 User has guest-level or otherwise restricted access to machine.
> 3 User logs in, and uses attack to gain LocalSystem access via the problem
> with VNC.
> I consider this a VNC problem because the machine isn't vulnerable in this
> case without VNC installed.
> The vulnerability in the article is much like sprintf() is for UNIX and C.
> It's something that developers will need to be aware of, and they'll have
> write around it, and not write programs that utilize privileged services
> that directly interact with the desktop.
> How that will ultimately effect the development of VNC or its derivatives,
> do not know; IANAP, merely a IT grunt trying to keep my boxen as secure as
> I suspect that there will have to be a privilege separation effort to
> eliminate this problem, much as Symantec will have to separate how Norton
> functions at the service level. I don't know enough about win32 to offer
> speculation about how that will occur, though.
> Hope this helps clarify
> Chris Bellers 314.233.7181
> OSA System Administrator
> Phantom Works, Boeing
> PS FYI, I still plan on posting to Bugtraq and some of the other lists by
> 17:00 CDT 21 August 2002.
> -----Original Message-----
> From: Scott C. Best [mailto:sbest "at" best.com]
> Sent: Thursday, August 15, 2002 6:04 PM
> To: vnc-list "at" realvnc.com
> Cc: chris.bellers "at" boeing.com
> Subject: Re: "shatter" vulnerability
> Heya. While I agree that the 'shatter' attack is something
> every user should bring to Microsoft's attention (which I can see
> in your email headers that you did), at the same time I don't
> consider it a VNC problem. <duck>
> Shatter, as I understand it, goes after the Win32 API
> itself which just about *every* application piece of software on
> Windows uses. The example you point to in the tombom reference
> uses McAfee VirusScan if I recall. Anything that uses a WinAPI
> popup can be exploited to run arbitrary code at the privilege
> of that popup. Also, you need to have access to the machine. So
> a user *could* VNC into your machine running as guest and use this
> exploit to become administrator. But in my mind, VNC security
> "stops" at controlling who can become guest.
> Or perhaps I'm misunderstanding you: are you suggesting
> that there are Windows and message boxes that WinVNC uses that
> could be recoded to use custom popups, rather than WinAPI windows
> which can be attacked with malicious messaging? wxWindows perhaps?
> > I recently tested the current vnc release (v3.3.3 R9) against the win32
> > 'shatter' attacks recently referenced on many security mailing lists,
> > found that I can indeed obtain LocalSystem privileges using the same
> > methods.
> > I'm sure that most of the readers of most security lists and the vnc
> > hold no illusions about the security provided by vnc, but this is
> > regrettably something that falls outside the bounds of the typical
> > cipher-strength and challenge problems.
> > I'll post to the usual security forums in a week unless otherwise
> > References:
> > http://security.tombom.co.uk/shatter.html
> > Thanks in advance
> > Sincerely,
> > Chris Bellers
> > OSA System Administrator
> > Phantom Works, Boeing
TridiaVNC Pro: finally, affordable remote control!
Tridia's Mission: To always exceed our customers' expectations by
the absolute best software products backed by outstanding technical
and customer service. Please let us know how we are doing:
brian . blevins @ tridia.com or ceo-hotline @ tridia.com.
TridiaVNC - http://www.tridiavnc.com/