CVE-2000-0155
CVSS7.2
发布时间 :2000-02-18 00:00:00
修订时间 :2008-09-10 00:00:00
NMCOES    

[原文]Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive.


[CNNVD]Microsoft Windows autorun.inf漏洞(CNNVD-200002-055)

        Windows NT Autorun在不可移动媒体上执行autorun.inf文件。本地用户利用此漏洞可以在其他用户访问驱动器时指定一个备份程序执行。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0155
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0155
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200002-055
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/993
(VENDOR_ADVISORY)  BID  993
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=000701bf79cd$fdb5a620$4c4342a6@mightye.org
(UNKNOWN)  BUGTRAQ  20000218 AUTORUN.INF Vulnerability

- 漏洞信息

Microsoft Windows autorun.inf漏洞
高危 配置错误
2000-02-18 00:00:00 2005-10-20 00:00:00
本地  
        Windows NT Autorun在不可移动媒体上执行autorun.inf文件。本地用户利用此漏洞可以在其他用户访问驱动器时指定一个备份程序执行。

- 公告与补丁

        There are two registry settings that control which drives can be recognized by the Autorun feature, both located in:
        HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
        NoDriveTypeAutoRun
        This value specifies drive types that will be checked for Autorun.inf files.
        Each bit of the first byte of the value corresponds to a drive type, and a value of 1 disables Autorun for that drive type. Starting with bit 0, the types are: Unknown, No_Root_Dir, Removable, Fixed, Remote, CDROM, Ramdisk. The last bit is reserved for future drive types. For example, a setting of 0xDF (11011111) will enable Autorun on CDROMs only.
        NoDriveAutoRun
        This value specifies which drives, by drive letter, will have Autorun enabled or disabled. The first bit is drive A:, second is B: and so on. Once again, 0 enables and 1 disables. For example, a setting of 0xFFFFFFF7 (11111111111111111111111111110111) will enable Autorun for drive D: only.

- 漏洞信息 (19754)

Microsoft Windows 95/98/NT 4.0 autorun.inf Vulnerability (EDBID:19754)
windows local
2000-02-18 Verified
0 Eric Stevens
N/A [点击下载]
source: http://www.securityfocus.com/bid/993/info

The Windows Autorun feature was designed to allow an executable and an icon to be specified for any piece of removable media. Upon insertion, the icon would be displayed for the drive, and the executable would automatically run. This feature also applies to fixed and networked drives however, making it much easier to abuse. Any user with write access to the root of a logical drive can install an executable and specify it in an autorun.inf file. Anytime that drive is accessed later, the code will run with the privileges of the currently logged in user. This could be used in privilege escalation attacks. 

As a test, make an autorun.inf file in C:\ with the following contents:
[autorun]
open=<path>notepad.exe

If your system is vulnerable, 'opening' C: should result in notepad strating up. Also, if you right-click on C: you should the Autoplay option in the drop-down menu.

The following exploit has been provided by Nelson Brito <nelson@secunet.com.br>:Step by Step:

1 - find a admin's mount point(a.k.a. home directory);
2 - place the autorun.inf and autorun2.exe on there;
3 - drop the admin's connection(use your prefered DoS tool);
4 - try to connect as user nelson and password nelson;
5 - BINDO, you are now a member of "Administrators" group(Stand Alone
Servers) or
"Domain Admins" gourp(PDC Servers). 		

- 漏洞信息

10618
Microsoft Windows NT autorun.inf Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Workaround
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-02-17 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Set the NoDriveTypeAutoRun Explorer registry setting to the default of 0x95.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows autorun.inf Vulnerability
Configuration Error 993
No Yes
2000-02-18 12:00:00 2009-07-11 01:56:00
Posted to Bugtraq on February 18, 2000 by Eric Stevens <ejsteven@cs.millersv.edu>.

- 受影响的程序版本

Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 98
Microsoft Windows 95

- 漏洞讨论

The Windows Autorun feature was designed to allow an executable and an icon to be specified for any piece of removable media. Upon insertion, the icon would be displayed for the drive, and the executable would automatically run. This feature also applies to fixed and networked drives however, making it much easier to abuse. Any user with write access to the root of a logical drive can install an executable and specify it in an autorun.inf file. Anytime that drive is accessed later, the code will run with the privileges of the currently logged in user. This could be used in privilege escalation attacks.

- 漏洞利用

As a test, make an autorun.inf file in C:\ with the following contents:
[autorun]
open=&lt;path&gt;notepad.exe

If your system is vulnerable, 'opening' C: should result in notepad strating up. Also, if you right-click on C: you should the Autoplay option in the drop-down menu.

The following exploit has been provided by Nelson Brito &lt;nelson@secunet.com.br&gt;:Step by Step:

1 - find a admin's mount point(a.k.a. home directory);
2 - place the autorun.inf and autorun2.exe on there;
3 - drop the admin's connection(use your prefered DoS tool);
4 - try to connect as user nelson and password nelson;
5 - BINDO, you are now a member of "Administrators" group(Stand Alone
Servers) or
"Domain Admins" gourp(PDC Servers).

- 解决方案

There are two registry settings that control which drives can be recognized by the Autorun feature, both located in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoDriveTypeAutoRun
This value specifies drive types that will be checked for Autorun.inf files.
Each bit of the first byte of the value corresponds to a drive type, and a value of 1 disables Autorun for that drive type. Starting with bit 0, the types are: Unknown, No_Root_Dir, Removable, Fixed, Remote, CDROM, Ramdisk. The last bit is reserved for future drive types. For example, a setting of 0xDF (11011111) will enable Autorun on CDROMs only.

NoDriveAutoRun
This value specifies which drives, by drive letter, will have Autorun enabled or disabled. The first bit is drive A:, second is B: and so on. Once again, 0 enables and 1 disables. For example, a setting of 0xFFFFFFF7 (11111111111111111111111111110111) will enable Autorun for drive D: only.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站