CVE-2003-0641
CVSS4.6
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:36:16
NMCOS    

[原文]WatchGuard ServerLock for Windows 2000 before SL 2.0.3 allows local users to load arbitrary modules via the OpenProcess() function, as demonstrated using (1) a DLL injection attack, (2) ZwSetSystemInformation, and (3) API hooking in OpenProcess.


[CNNVD]WatchGuard ServerLock未授权内核模块装载漏洞(CNNVD-200308-188)

        
        WatchGuard ServerLock是一款用于保护操作系统完整性的工具,可使任何人不能修改部分文件,部分注册表键值和装载未明驱动。
        WatchGuard ServerLock存在DLL注入问题,本地攻击者可以利用这个漏洞通过ZwSetSystemInformation()函数装载任意模块到Windows 2000内核,可绕过安全限制。
        WatchGuard ServerLock对"HKLM\System\CurrentControlSet\Services"键值,和替代"\Winnt\System32\drivers"目录中的文件,及调用ZwSetSystemInformation()都做了限制。不过ServerLock允许可信任程序调用ZwSetSystemInformation()函数。攻击者可以把恶意程序存放在"\WINNT\system32\drivers\"目录中,通过DLL注入手段,迫使可信进程执行ZwSetSystemInformation()函数,把恶意程序装载到内核中。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:watchguard:serverlock:2.0.1
cpe:/a:watchguard:serverlock:2.0.2
cpe:/a:watchguard:serverlock:2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0641
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0641
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-188
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105848106631132&w=2
(UNKNOWN)  BUGTRAQ  20030717 Bypassing ServerLock protection on Windows 2000
http://www.securityfocus.com/bid/8222
(VENDOR_ADVISORY)  BID  8222
http://xforce.iss.net/xforce/xfdb/12665
(UNKNOWN)  XF  serverlock-openprocess-load-module(12665)

- 漏洞信息

WatchGuard ServerLock未授权内核模块装载漏洞
中危 设计错误
2003-08-27 00:00:00 2005-10-20 00:00:00
本地  
        
        WatchGuard ServerLock是一款用于保护操作系统完整性的工具,可使任何人不能修改部分文件,部分注册表键值和装载未明驱动。
        WatchGuard ServerLock存在DLL注入问题,本地攻击者可以利用这个漏洞通过ZwSetSystemInformation()函数装载任意模块到Windows 2000内核,可绕过安全限制。
        WatchGuard ServerLock对"HKLM\System\CurrentControlSet\Services"键值,和替代"\Winnt\System32\drivers"目录中的文件,及调用ZwSetSystemInformation()都做了限制。不过ServerLock允许可信任程序调用ZwSetSystemInformation()函数。攻击者可以把恶意程序存放在"\WINNT\system32\drivers\"目录中,通过DLL注入手段,迫使可信进程执行ZwSetSystemInformation()函数,把恶意程序装载到内核中。
        

- 公告与补丁

        厂商补丁:
        WatchGuard
        ----------
        ServerLock 2.0.3及之后的版本不存在此漏洞,可访问WatchGuard LiveSecurity website获得相关信息:
        https://www.watchguard.com/archive/softwarecenter.asp

- 漏洞信息

6578
WatchGuard ServerLock DLL Injection Arbitrary Module Execution
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Server Lock contains a flaw that may allow a malicious user to inject arbitrary DLLs. The issue is triggered when the OpenProcess() call is used and no sanity checks are performed. It is possible that the flaw may allow malicious DLL injection resulting in a loss of integrity.

- 时间线

2003-07-17 Unknow
2003-07-17 Unknow

- 解决方案

Upgrade to version 2.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

WatchGuard ServerLock Unauthorized Kernel Module Loading Vulnerability
Design Error 8222
No Yes
2003-07-17 12:00:00 2009-07-11 10:56:00
Reported by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>.

- 受影响的程序版本

WatchGuard ServerLock 2.0.2
WatchGuard ServerLock 2.0.1
WatchGuard ServerLock 2.0
WatchGuard ServerLock 2.0.4
WatchGuard ServerLock 2.0.3

- 不受影响的程序版本

WatchGuard ServerLock 2.0.4
WatchGuard ServerLock 2.0.3

- 漏洞讨论

WatchGuard ServerLock is prone to a vulnerability that may permit a malicious program to inject arbitrary code into trusted runtime processes, potentially allowing an arbitrary module to be loaded into the Windows 2000 kernel via the ZwSetSystemInformation() function. This could be exploited to circumvent the security provided by ServerLock.

This issue is reported to affects Windows 2000 systems.

- 漏洞利用

This discoverer of this vulnerability has claimed to have exploited this issue. Exploit code is not reported to be circulating in the wild at the time of writing.

- 解决方案

WatchGuard has addressed this issue in ServerLock version 2.0.3 and later. For information on how to obtain patches, please visit the WatchGuard LiveSecurity website referenced below.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站