Shatter attack
title: "Shatter attack" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["windows-administration", "computer-security-exploits"] topic_path: "technology/operating-systems" source: "https://en.wikipedia.org/wiki/Shatter_attack" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0
In computing, a shatter attack is a programming technique employed by hackers on Microsoft Windows operating systems to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop. This could result in a privilege escalation exploit.{{cite web | url=http://www.thehackademy.net/madchat/vxdevl/papers/winsys/shatter.html | title=Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows. | access-date=2011-12-29 | archive-date=2013-01-10 | archive-url=https://web.archive.org/web/20130110041803/http://www.thehackademy.net/madchat/vxdevl/papers/winsys/shatter.html | url-status=dead
Overview
Shatter attacks became a topic of intense conversation in the security community in August 2002 after the publication of Chris Paget's paper "Exploiting design flaws in the Win32 API for privilege escalation".{{cite web |url=http://security.tombom.co.uk/shatter.html |title=Exploiting design flaws in the Win32 API for privilege escalation. |author=Chris Paget |date=August 2002 |archive-url=https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html |archive-date=2006-09-04 The paper, which coined the term "shatter attack", explained the process by which an application could execute arbitrary code in another application. This could occur because Windows allows unprivileged applications to send messages to message loops of higher-privileged application—and some messages can have the address of a callback function in the application's address space as their parameters. If an attacker manages to put their own string into the memory of the higher-privileged application (say by pasting shellcode to an edit box) at a known location, they could then send WM_TIMER messages with callback function parameters set to point to the attacker's string.
A few weeks after the publication of this paper, Microsoft responded, noting that: "The paper is correct that this situation exists, and it does correctly describe its effect. ... Where the paper errs is in claiming that this is a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there."{{cite web |url=http://www.microsoft.com/technet/archive/security/news/htshat.mspx?mfr=true |title=Information About Reported Architectural Flaw in Windows |date=September 2002 |work=TechNet |publisher=Microsoft
Solutions
In December 2002, Microsoft issued a patch for Windows NT 4.0, Windows 2000, and Windows XP that closed off some avenues of exploitation.{{cite web |url=http://www.microsoft.com/technet/security/bulletin/MS02-071.mspx |title=Microsoft Security Bulletin MS02-071 – Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) |date=December 11, 2002 |access-date=2006-07-18 |publisher=Microsoft | url=http://www.hpl.hp.com/techreports/2005/HPL-2005-87.pdf | title=Shatter-proofing Windows | access-date=2011-12-29
The way sessions are instantiated was redesigned in Windows Vista and Windows Server 2008 to provide additional protection against shatter attacks. Local user logins were moved from Session 0 to Session 1, thus separating the user's processes from system services that could be vulnerable.{{cite web |url=http://blogs.msdn.com/larryosterman/archive/2005/09/14/466175.aspx |title=Larry Osterman's WebLog – Interacting with Services |date=September 14, 2005 |access-date=2007-04-03 |publisher=Larry Osterman |url=http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/05/Why-Vista_3F00_-Changes-to-services-part-2-2800_Security_2C00-Stability_2C00_-System-Integrity_2900_.aspx |title=Why Vista? Changes to services part 2 (Security, Stability, System Integrity) |date=August 5, 2006 |publisher=Ken Schaefer |access-date=February 18, 2008 |archive-date=August 18, 2007 |archive-url=https://web.archive.org/web/20070818122917/http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/05/Why-Vista_3F00_-Changes-to-services-part-2-2800_Security_2C00-Stability_2C00_-System-Integrity_2900_.aspx |url-status=dead
::figure[src="https://upload.wikimedia.org/wikipedia/commons/3/3c/Windows_Server_2008_-_Interactive_services_dialog.png" caption="The Interactive Services Detection service in [[Windows Server 2008]]."] ::
This creates backward compatibility issues, however, as some software was designed with the assumption that the service is running in the same session as the logged-in user. To support this view, Windows Vista and Windows Server 2008 introduced a Windows service called "Interactive Services Detection" that enables access to dialogs created by interactive services when they appear. The interactive user is shown a dialog box and is offered the ability to switch to Session 0 to access the dialog box.{{cite web | url=http://blogs.technet.com/voy/archive/2007/02/23/services-isolation-in-session-0-of-windows-vista-and-longhorn-server.aspx | title=Services isolation in Session 0 of Windows Vista and Longhorn Server | date=February 23, 2007 | access-date=2008-04-23 | author=Cyril Voisin | work=Cyril Voisin (aka Voy) on security | publisher=MSDN Blogs | url = https://support.microsoft.com/en-us/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update | title = Features that are removed or deprecated in Windows 10 Creators Update | date = 11 March 2024 | publisher = Microsoft
References
References
::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::