Windows is an event driven system. This is driven under windows with the use of windows messages. When a key is pressed, a message is sent to the current window stating that a key has been pressed. Any event (including timers) send messages to applications to update them. This is not a problem on its own.
The problem is that under Windows, these messages are unauthenticated. Any application may send a message to any window (on the same desktop). This problem beomes a bigger security problem when one considers that applications with different priveleges may be running on the same desktop.
Shatter attacks exploit this, by sending messages to higher priveleged windows to do an attackers bidding.
By visiting :
http://www.sensepost.com/videostatic/shatter/messages
we see (using Microsofts SPY++) the messages being sent to CALC while we push a few buttons
We can demo this, by simply fiddling with a regular GUI edit-box. We write a simple application that sends a message to the putty-configuration window to edit the properties of the textbox. The program simply asks a user for input, and adjusts puttys textbox accordingly:
http://www.sensepost.com/videostatic/shatter/putty/
if you like, the code can be seen here:
http://www.sensepost.com/videostatic/shatter/code/
Now, if we can send controls to edit boxes, how about sending a more interesting control? EM_SETWORDBREAKPROC allows you to set a function that will be called when a textbox is double clicked (to handle wrapping). This means, if we send that message we have the ability to say: If someone clicks this editbox, run the function at that address.
Since we control the contents of the edit box (and its size) we can put code in there. So in total we can put code somewhere, and then we can jump to that code. This can be explained in the ugly slide here:
http://www.sensepost.com/videostatic/shatter/explain/
Of course.. this all wraps together, in the final bottom line.. we see normal user deels elevate privs to SYSTEM using VNC..
