Due to a problem with isolating window broadcast messages in the Windows kernel,
an attacker can broadcast commands from a lower Integrity Level process to a
higher Integrity Level process, thereby effecting a privilege escalation. This
issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and
RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#
does not work in Vista, so the attacker will have to check if the user is already
running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module. The WEB technique will
execute a powershell encoded payload from a Web location. The FILE technique
will drop an executable to the file system, set it to medium integrity and execute
it. The TYPE technique will attempt to execute a powershell encoded payload directly
from the command line, but may take some time to complete.
- Tavis Ormandy
- Axel Souchet
- Ben Campbell <email@example.com>