logo

Unprotected Windows Messaging Channel ('Shatter')

Draft Variant
Structure: Simple
Description

This vulnerability, often called a 'Shatter' attack, occurs when a Windows application running with high privileges accepts messages from the Windows messaging system without verifying their source. This allows a less-privileged or malicious application to send commands directly to the privileged application, potentially hijacking its functionality.

Extended Description

At its core, this flaw exploits the trust that elevated Windows applications place in the standard messaging system (like SendMessage or PostMessage). Since these messages are not authenticated, any program—including one run by a standard user—can craft and send requests. If the privileged application doesn't check which process sent the message, it will execute the command with its own high-level permissions, letting a low-privilege attacker perform actions they shouldn't be allowed to do. To prevent this, developers must treat incoming Windows messages from untrusted sources with the same suspicion as network data. Implement strict message validation by checking the sender's process ID or using secure communication channels for sensitive operations. Relying solely on User Interface Privilege Isolation (UIPI) on modern systems is not enough; the application's own logic must actively guard its message-handling routines to block unauthorized cross-process communication.
Common Consequences 1
Scope: Access Control

Impact: Gain Privileges or Assume IdentityBypass Protection Mechanism
Potential Mitigations 1
Phase: Architecture and Design
Always verify and authenticate the source of the message.
Observed Examples 6
CVE-2002-0971Bypass GUI and access restricted dialog box.
CVE-2002-1230Gain privileges via Windows message.
CVE-2003-0350A control allows a change to a pointer for a callback function using Windows message.
CVE-2003-0908Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.
CVE-2004-0213Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
CVE-2004-0207User can call certain API functions to modify certain properties of privileged programs.
References 3
Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows
Paget
08-2002
http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html
ID: REF-402
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Affected Resources
  1. System Process
Related Weaknesses
ChildOf: Unprotected Alternate Channel (CWE-420)
ChildOf: Trust of System Event Data (CWE-360)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
RelationshipOverlaps privilege errors and UI errors.
Research Gap Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.