CWE-422: Unprotected Windows Messaging Channel ('Shatter')

What is Unprotected Windows Messaging Channel ('Shatter')?

• Overview: Unprotected Windows Messaging Channel ('Shatter') vulnerability occurs when an application running with elevated privileges does not verify the source of messages it receives through the Windows Messaging System, allowing attackers to send unauthorized messages that the application may execute with high privileges.

• Exploitation Methods:

• Attackers can exploit this vulnerability by sending crafted messages to the application from a lower-privileged process.
• Common attack patterns include using the SendMessage or PostMessage functions to inject malicious input into the application's message queue.

• Security Impact:

• Direct consequences include unauthorized execution of commands with elevated privileges.
• Potential cascading effects include privilege escalation, compromising the system integrity, and unauthorized access to sensitive data.
• Business impact can be severe, potentially leading to data breaches, system downtimes, and loss of customer trust.

• Prevention Guidelines:

• Specific code-level fixes include verifying the sender of messages and employing more secure communication mechanisms.
• Security best practices involve running applications with the least privileges necessary and isolating privileged operations.
• Recommended tools and frameworks include using the User Interface Privilege Isolation (UIPI) and Access Control Lists (ACLs) to restrict message handling.

Corgea can automatically detect and fix Unprotected Windows Messaging Channel ('Shatter') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Python Example

import win32api
import win32con

def handle_message(hwnd, msg, wparam, lparam):
    if msg == win32con.WM_COPYDATA:
        # Directly processing messages without validation
        data = win32api.GlobalLock(lparam)
        try:
            # Process the data without verifying the sender
            print("Data received: ", data)
        finally:
            win32api.GlobalUnlock(lparam)

• Issue: The handle_message function processes Windows messages without verifying the sender. This vulnerability allows attackers to send malicious messages to the application, potentially leading to unauthorized actions or data leaks.

How to fix Unprotected Windows Messaging Channel ('Shatter')?

Fixed Code Example

Python Example

import win32api
import win32con
import ctypes

def is_trusted_sender(hwnd, msg, wparam, lparam):
    # Implement logic to check if the sender is trusted
    # For example, verify the process ID or handle of the sender
    # This is a placeholder function; replace with actual trust verification logic
    sender_pid = ctypes.windll.user32.GetWindowThreadProcessId(hwnd, None)
    # Check if sender_pid is in a list of trusted PIDs
    return sender_pid in get_trusted_pids()

def handle_message(hwnd, msg, wparam, lparam):
    if msg == win32con.WM_COPYDATA and is_trusted_sender(hwnd, msg, wparam, lparam):
        # Verify that the message comes from a trusted sender
        data = win32api.GlobalLock(lparam)
        try:
            # Safely process the verified data
            print("Data received from trusted sender: ", data)
        finally:
            win32api.GlobalUnlock(lparam)

def get_trusted_pids():
    # Example function to return a list of trusted process IDs
    # In a real application, this list should be securely managed and updated
    return [1234, 5678]  # Example trusted process IDs

• Fix Explanation: The is_trusted_sender() function is introduced to verify the sender of the message. The function checks if the sender's process ID is trusted before processing the message. This mitigates the risk of unauthorized message handling by ensuring only messages from trusted sources are processed.