Shatter attack

Shatter attack

In computing, a shatter attack is a programming technique employed by hackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop. This could result in a privilege escalation exploit.


Shatter attacks became a topic of intense conversation in the security community in August 2002 after the publication of Chris Paget's paper titled, "Exploiting design flaws in the Win32 API for privilege escalation". The paper, which coined the term "shatter attack", explained the process by which an application could execute arbitrary code in another application. This could occur because Windows allows unprivileged applications to send messages to message loops of higher-privileged application - and some messages can have the address of a callback function in the application's address space as its parameter. If an attacker manages to put his own string into the memory of the higher-privileged application (say by pasting shellcode to an edit box or using VirtualAllocEx and WriteProcessMemory) at a known location, they could then send WM_TIMER messages with callback function parameters set to point to the attacker's string.

A few weeks after the publication of this paper, Microsoft responded, noting that: "The paper is correct that this situation exists, and it does correctly describe its effect. ... Where the paper errs is in claiming that this is a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there."


In December 2002, Microsoft issued a patch for Windows NT 4.0, Windows 2000, and Windows XP that closed off some avenues of exploitation. This was only a partial solution, however, as the fix was limited to services included with Windows that could be exploited using this technique; the underlying design flaw still existed and could still be used to target other applications or third-party services. With Windows Vista, Microsoft aimed to solve the problem in two ways: First, local users no longer log in to Session 0, thus separating the message loop of a logged-in user's session from high-privilege system services, which are loaded into Session 0. Second, a new feature called "User Interface Privilege Isolation" (UIPI) was introduced, whereby processes can be further protected against shatter attacks by assigning an Integrity Level to each process.cite web | url = | title = PsExec, User Account Control and Security Boundaries | accessdate = 2007-10-08] Attempts to send messages to a process with a higher Integrity Level will fail, even if both processes are owned by the same user. However, not all interactions between processes at different Integrity Levels are prevented by UIPI. Internet Explorer 7, for example, uses the UIPI feature to limit the extent to which its rendering components interact with the rest of the system.

The way sessions are instantiated was redesigned in Windows Vista and Windows Server 2008 to additional protections against shatter attacks. Local user logins were moved from Session 0 to Session 1, thus separating the user's processes from system services that could be vulnerable.

This creates backward compatibility issues, however, as some software was designed with the assumption that the service is running in the same session as the logged-in user. To support this view, Windows Vista and Windows Server 2008 include a Windows service called "Interactive Services Detection" that enables access to dialogs created by interactive services when they appear. The interactive user is shown a dialog box and is offered the ability to switch to Session 0 to access the dialog box. [cite web
title=Services isolation in Session 0 of Windows Vista and Longhorn Server
date=February 23 2007
author=Cyril Voisin
work=Cyril Voisin (aka Voy) on security
publisher=MSDN Blogs

Also, services configured with the "interact with the desktop" privilege can still create popup dialogues, system notification icons, or other user interface elements for the interactive user. This circumvents the protections afforded by having the interactive user logged in to a separate session, so this practice is discouraged. Instead, a two-process design is recommended where a process is loaded into the user's session that interacts with the service process through inter-process communication. Additionally, when a privileged operation is required to be undertaken, an authenticated call is made that loads additional service code. Once that privileged code is finished doing what needs to be done, it is unloaded from memory so that it does not remain to be a possible target for later exploitation.


* cite web
title=Exploiting design flaws in the Win32 API for privilege escalation.
month=August | year=2002
* cite web
title=Information About Reported Architectural Flaw in Windows
month=September | year=2002
* cite web
title=Microsoft Security Bulletin MS02-071 – Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)
date=December 11 2002

* cite web
title=Larry Osterman's WebLog – Interacting with Services
date=September 14 2005
publisher=Larry Osterman

* cite web
title=Why Vista? Changes to services part 2 (Security, Stability, System Integrity)
date=August 05 2006
publisher=Ken Schaefer

Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Shatter attack — «Подрывная атака» (англ. shatter attack)  программная технология, которая используется хакерами для обхода ограничений безопасности между процессами одного сеанса в операционной системе Microsoft Windows. Она опирается на недостаток… …   Википедия

  • Shatter (jeu vidéo) — Pour les articles homonymes, voir Shatter. Shatter Éditeur Sidhe …   Wikipédia en Français

  • User Interface Privilege Isolation — (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat code injection exploits. By leveraging Mandatory Integrity Control, it prevents processes with a lower integrity level (IL) from sending messages to higher IL… …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • UIPI — User Interface Privilege Isolation User Interface Privilege Isolation (UIPI Isolation des privilèges de l IHM) est une technique de sécurité utilisée par Windows Vista et Windows Server 2008 pour se protéger contre les exploits d injection de… …   Wikipédia en Français

  • User Interface Privilege Isolation — (UIPI Isolation des privilèges de l IHM) est une technique de sécurité utilisée par Windows Vista et Windows Server 2008 pour se protéger contre les exploits d injection de code. UIPI évite qu un processus ayant un bas niveau de sécurité… …   Wikipédia en Français

  • Timeline of computer security hacker history — This is a timeline of computer security hacker history. Hacking and system cracking appeared with the first electronic computers. Below are some important events in the history of hacking and cracking.1970s1971* John T. Draper (later nicknamed… …   Wikipedia

  • Criticism of Microsoft Windows — Contents 1 Criticisms that apply to several or all versions of Windows 1.1 Clock management 1.2 Hiding of filen …   Wikipedia

  • HP Polaris (computer security) — Polaris is a Microsoft Windows system for running application software with limited authority.Configuring an application to run under Polaris is known as polarizing it. This creates a pet , an instance of the application which is isolated from… …   Wikipedia

  • Уязвимость (компьютерная безопасность) — У этого термина существуют и другие значения, см. уязвимость. В компьютерной безопасности, термин уязвимость (англ. vulnerability) используется для обозначения недостатка в системе, используя который, можно нарушить её целостность и вызвать… …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”