CVE-1999-1084
CVSS4.6
发布时间 :1999-12-31 00:00:00
修订时间 :2016-10-17 22:01:09
NMCOES    

[原文]The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.


[CNNVD]Microsoft Windows AEDEBUG注册表钥漏洞(CNNVD-199912-162)

        "AEDebug"注册表钥和不安全许可一起被安装,该漏洞使本地用户可以通过修改密钥来规定一个木马调试器,该调试器在系统死机时自动执行。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0::workstation

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1084
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1084
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-162
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=ntbugtraq&m=90222453431604&w=2
(UNKNOWN)  NTBUGTRAQ  19980622 Yet another "get yourself admin rights exploit":
http://support.microsoft.com/support/kb/articles/q103/8/61.asp
(VENDOR_ADVISORY)  MSKB  Q103861
http://www.ciac.org/ciac/bulletins/k-029.shtml
(VENDOR_ADVISORY)  CIAC  K-029
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
(VENDOR_ADVISORY)  MS  MS00-008
http://www.securityfocus.com/bid/1044
(VENDOR_ADVISORY)  BID  1044

- 漏洞信息

Microsoft Windows AEDEBUG注册表钥漏洞
中危 未知
1999-12-31 00:00:00 2006-04-19 00:00:00
远程※本地  
        "AEDebug"注册表钥和不安全许可一起被安装,该漏洞使本地用户可以通过修改密钥来规定一个木马调试器,该调试器在系统死机时自动执行。

- 公告与补丁

        Microsoft has released a hotfix for this issue, available at:
        Intel:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
        Alpha:
        http://www.microsoft.com/downloads/release.asp?ReleaseID=19173
        Microsoft Windows NT 4.0
        
        Microsoft Windows NT 4.0 alpha
        

- 漏洞信息 (19798)

Microsoft Windows NT 4.0 User Shell Folders Vulnerability (EDBID:19798)
windows local
2000-03-09 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/1042/info


The registry value 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 

specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user.

Example: 

On a Domain Controller, a batch file containg the following commands:
--
net user attacker /add /domain
net group administrators attacker /add /domain
--
could be put into the folder c:\hackstartup.
Then the registry value 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 
could be set to the string "c:\hackstartup".
The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.		

- 漏洞信息

6790
Microsoft Windows NT AEDebug Registry Key Weak Permissions
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1998-06-22 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows AEDEBUG Registry Key Vulnerability
Unknown 1044
Yes Yes
1998-06-22 12:00:00 2009-07-11 01:56:00
Originally posted to NTbugtraq on June 22, 1998 by David LeBlanc <dleblanc@ISS.NET>.

- 受影响的程序版本

Microsoft Windows NT 4.0 alpha
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0

- 漏洞讨论

The default permissions on some installations of Windows NT allow members of the 'Everyone' group to write to the contents of the value that control what debugger is executed in the event of a system crash.

The registry value in question is:
\HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Also, there is a value that controls whether any prompt is issued to the user before the selected debugger is executed:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\auto

Therefore, an attacker could specify code to run in the event of a process crash. Note that the code must already be on the target machine.

- 漏洞利用

see discussion

- 解决方案

Microsoft has released a hotfix for this issue, available at:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173


Microsoft Windows NT 4.0

Microsoft Windows NT 4.0 alpha

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站