CVE-2002-1230

Windows 2000 - Local Privilege Escalation via WM_TIMER Message Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2002-1230. PoCs published by Serus, anonymous, Ovidio Mallo.

AI-analyzed exploit summary This exploit leverages the Winlogon NetDDE Agent vulnerability (CVE-2002-1230) to achieve local privilege escalation by sending a WM_COPYDATA message with shellcode and triggering execution via a WM_TIMER message. It targets Windows 2000 and XP by bruteforcing memory addresses to locate the injected shellcode.

Description

NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."

Exploits (10)

exploitdb WORKING POC VERIFIED
by Serus · clocalwindows
https://www.exploit-db.com/exploits/21923

This exploit leverages the Winlogon NetDDE Agent vulnerability (CVE-2002-1230) to achieve local privilege escalation by sending a WM_COPYDATA message with shellcode and triggering execution via a WM_TIMER message. It targets Windows 2000 and XP by bruteforcing memory addresses to locate the injected shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows 2000, Windows XP
No auth needed
Prerequisites: Local access to the target system · NetDDE Agent running
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Serus · clocalwindows
https://www.exploit-db.com/exploits/21922

This exploit leverages the Winlogon NetDDE Agent vulnerability (CVE-2002-1230) to achieve local privilege escalation on Windows 2000 by sending a WM_COPYDATA message with shellcode and triggering execution via a WM_TIMER message.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000
No auth needed
Prerequisites: Local access to a vulnerable Windows 2000 system · NetDDE Agent running
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by anonymous · textlocalwindows
https://www.exploit-db.com/exploits/21691

This is a technical writeup describing a design flaw in the Win32 API related to inter-window message passing, which can be exploited for local privilege escalation (LPE) by targeting windows of higher-privileged processes. It references multiple papers and proofs-of-concept, including Shatter attacks and specific Windows messages like WM_TIMER and WM_SETTEXT.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Win32 API (Windows-based applications)
No auth needed
Prerequisites: Local access to the target system · Presence of a higher-privileged window (e.g., antivirus software running as LocalSystem)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Ovidio Mallo · textlocalwindows
https://www.exploit-db.com/exploits/21690

The document describes a Win32 API design flaw related to inter-window message passing, which can be exploited for local privilege escalation (LPE) by targeting windows of higher-privileged processes. It references multiple papers and proofs-of-concept, including Shatter attacks and specific Windows messages like WM_TIMER and WM_SETTEXT.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Win32-based applications (e.g., antivirus software)
No auth needed
Prerequisites: Local access to the target system · Presence of a higher-privileged window
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Brett Moore · clocalwindows
https://www.exploit-db.com/exploits/21689

This exploit demonstrates a Shatter attack against Win32 applications with listview controls, leveraging inter-window message passing to inject shellcode and overwrite a critical memory address (SEH handler). It targets local privilege escalation by manipulating window messages like LVM_SETCOLUMNWIDTH and HDM_GETITEMRECT.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Win32 applications with listview controls (e.g., Explorer, IE, file open dialogs)
No auth needed
Prerequisites: Local access to the target system · Presence of a vulnerable window with higher privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Oliver Lavery · clocalwindows
https://www.exploit-db.com/exploits/21688

This exploit demonstrates a Shatter attack against Windows applications with tab controls, specifically targeting McAfee A/V products. It injects shellcode into a known memory location and overwrites a critical address to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: McAfee A/V products (or any Win32 application with a tab control)
No auth needed
Prerequisites: Local access to the target system · Presence of a vulnerable application with a tab control
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Brett Moore · clocalwindows
https://www.exploit-db.com/exploits/21687

This exploit demonstrates a Shatter attack against Windows applications using progress bar controls. It injects shellcode into a known memory location and overwrites a critical address to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows applications with progress bar controls
No auth needed
Prerequisites: Local access to the system · Presence of a vulnerable application with a progress bar control
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Brett Moore · clocalwindows
https://www.exploit-db.com/exploits/21686

This exploit demonstrates a Shatter attack against Windows applications using status bar controls. It brute-forces heap addresses, injects shellcode, and overwrites SEH to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows applications with status bar controls (e.g., antivirus software)
No auth needed
Prerequisites: Local access to the target system · Presence of a vulnerable window with higher privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Oliver Lavery · clocalwindows
https://www.exploit-db.com/exploits/21685

This exploit demonstrates a Shatter attack against Windows applications using the CommCtrl 6.0 Button control. It injects shellcode into a known memory location and overwrites a critical address to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows applications using CommCtrl 6.0 Button controls
No auth needed
Prerequisites: Local access to the target system · Presence of a vulnerable window with higher privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sectroyer · clocalwindows
https://www.exploit-db.com/exploits/21684

This exploit leverages the Win32 message passing vulnerability (CVE-2002-1230) to achieve local privilege escalation by targeting the Utility Manager window. It uses techniques like LVM_SORTITEMS and HDM_GETITEMRECT to overwrite SEH and execute shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 2000 (Utility Manager)
No auth needed
Prerequisites: Local access to the target system · Utility Manager window must be present
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/n-027.shtml
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/5927
Various Sources x_refsource_misc
http://getad.chat.ru/
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A681
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/10343.php

Scores

EPSS 0.0232
EPSS Percentile 81.3%

Details

Status published
Products (2)
microsoft/windows_2000 (4 CPE variants)
microsoft/windows_2000_terminal_services (4 CPE variants)
Published Nov 04, 2002
Tracked Since Feb 18, 2026