Unprotected Windows Messaging Channel ('Shatter')
Weakness ID: 422 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Observed Examples
CVE-2002-0971Bypass GUI and access restricted dialog box.
CVE-2002-1230Gain privileges via Windows message.
CVE-2003-0350A control allows a change to a pointer for a callback function using Windows message.
CVE-2003-0908Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.
CVE-2004-0213Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
CVE-2004-0207User can call certain API functions to modify certain properties of privileged programs.
+ Potential Mitigations

Always verify and authenticate the source of the message.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base360Trust of System Event Data
Research Concepts1000
ChildOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
+ Relationship Notes

Overlaps privilege errors and UI errors.

+ Research Gaps

Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such.

Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.

+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnprotected Windows Messaging Channel ('Shatter')
+ References
Paget. "Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows". August, 2002. <http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html>.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Other Notes, Relationship Notes, Research Gaps