|
|
Microsoft Windows 2000 / NT 4.0进程处理本地权限提升漏洞
发布时间:2002-03-19
更新时间:2002-03-19
严重程度:高
威胁程度:本地管理员权限
错误类型:设计错误
利用方式:服务器模式
BUGTRAQ ID:4287
受影响系统Microsoft Windows 2000 Advanced Server 0.0SP2
Microsoft Windows 2000 Advanced Server 0.0SP1
Microsoft Windows 2000 Advanced Server 0.0
Microsoft Windows 2000 Datacenter Server 0.0SP2
Microsoft Windows 2000 Datacenter Server 0.0SP1
Microsoft Windows 2000 Datacenter Server 0.0
Microsoft Windows 2000 Professional 0.0SP2
Microsoft Windows 2000 Professional 0.0SP1
Microsoft Windows 2000 Professional 0.0
Microsoft Windows 2000 Server 0.0SP2
Microsoft Windows 2000 Server 0.0SP1
Microsoft Windows 2000 Server 0.0
Microsoft Windows 2000 Terminal Services 0.0SP2
Microsoft Windows 2000 Terminal Services 0.0SP1
Microsoft Windows 2000 Terminal Services 0.0
Microsoft Windows NT Enterprise Server 4.0SP6a
Microsoft Windows NT Enterprise Server 4.0SP6
Microsoft Windows NT Enterprise Server 4.0SP5
Microsoft Windows NT Enterprise Server 4.0SP4
Microsoft Windows NT Enterprise Server 4.0SP3
Microsoft Windows NT Enterprise Server 4.0SP2
Microsoft Windows NT Enterprise Server 4.0SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Server 4.0SP6a
Microsoft Windows NT Server 4.0SP6
Microsoft Windows NT Server 4.0SP5
Microsoft Windows NT Server 4.0SP4
Microsoft Windows NT Server 4.0SP3
Microsoft Windows NT Server 4.0SP2
Microsoft Windows NT Server 4.0SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Terminal Server 4.0SP6a
Microsoft Windows NT Terminal Server 4.0SP6
Microsoft Windows NT Terminal Server 4.0SP5
Microsoft Windows NT Terminal Server 4.0SP4
Microsoft Windows NT Terminal Server 4.0SP3
Microsoft Windows NT Terminal Server 4.0SP2
Microsoft Windows NT Terminal Server 4.0SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Workstation 4.0SP6a
Microsoft Windows NT Workstation 4.0SP6
Microsoft Windows NT Workstation 4.0SP5
Microsoft Windows NT Workstation 4.0SP4
Microsoft Windows NT Workstation 4.0SP3
Microsoft Windows NT Workstation 4.0SP2
Microsoft Windows NT Workstation 4.0SP1
Microsoft Windows NT Workstation 4.0 详细描述
Microsoft Windows 2000 和 NT 4系统中存在漏洞允许用户在本地主机中提升权利获得SYSTEM级别权限。
调试子系统可适用于任何用户,可以用来建立相同句柄到一特权进程,这就可能允许使用当前登陆用户权利的应用程序执行被访问进程权利的任意代码。
通过如下办法请求调试子系统(smss.exe)获取任意进程句柄、线程句柄的副本:
1) 调用DbgUiConnectToDbg()成为调试子系统客户端
2) 调用ZwConnectPort()连接DbgSsApiPort LPC port,任意用户都可以访问该端口
3) 调用ZwRequestPort()请求调试子系统处理CreateProcess SsApi,形参为欲复制的PID或TID
4) 调用WaitForDebugEvent()等待调试子系统响应REATE_PROCESS_DEBUG_EVENT,返回的消息中含有欲复制的PID或TID的副本
测试代码
Radim "EliCZ" picha提供如下测试程序:
http://online.securityfocus.com/data/vulnerabilities/exploits/DebPloit.zip
解决方案
一个两进制补丁由Radim "EliCZ" picha提供:
http://downloads.securityfocus.com/vulnerabilities/exploits/DebPloit.zip
相关信息
Radim "EliCZ" Picha <Bugs@EliCZ.cjb.net>.
参考:http://www.anticracking.sk/EliCZ/
http://online.securityfocus.com/archive/1/262074
|
