Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-422: Unprotected Windows Messaging Channel ('Shatter')

Weakness ID: 422
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Gain privileges / assume identity; Bypass protection mechanism

+ Observed Examples
Bypass GUI and access restricted dialog box.
Gain privileges via Windows message.
A control allows a change to a pointer for a callback function using Windows message.
Product launches Help functionality while running with raised privileges, allowing command execution using Windows message to access "open file" dialog.
Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
User can call certain API functions to modify certain properties of privileged programs.
+ Potential Mitigations

Phase: Architecture and Design

Always verify and authenticate the source of the message.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base360Trust of System Event Data
Research Concepts1000
ChildOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory953SFP Secondary Cluster: Missing Endpoint Authentication
Software Fault Pattern (SFP) Clusters (primary)888
+ Relationship Notes

Overlaps privilege errors and UI errors.

+ Research Gaps

Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such.

Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.

+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnprotected Windows Messaging Channel ('Shatter')
Software Fault PatternsSFP30Missing endpoint authentication
+ References
Paget. "Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows". August, 2002. <>.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 2, "Design Review." Page 34.. 1st Edition. Addison Wesley. 2006.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 12, "Shatter Attacks", Page 694.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Other_Notes, Relationship_Notes, Research_Gaps
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017