Allegedly Windows COM structure there is a security problem, the local orremote attackcan use this vulnerability to elevate privileges or execute arbitrary instructions. AffectedOSand procedures when processing COM structured storage file, the access to the shared memory exists in the way that privilege elevation vulnerability, a logged-in user can exploit this vulnerability to completely control the system.
This is a privilege elevation vulnerability. Successful exploitation of this vulnerability attacker can completely control the affected system. An attacker could then install programs;view, change, or delete data;or create your own completelyuser privilegesto the new account. To exploit this vulnerability, an attacker must be able to log on locally to the system and run the program.
The affected systems include:Windows 2 0 0 0(SP3, SP4), Windows XP(SP1, SP2), Windows 2 0 0 3, and Windows 9 8, etc. operating system. The use of the Windows OLE component of Office XP, Office 2 0 03 and other Office software will also be affected.
The vulnerability of the formation principles
Webfldrs. msi is a Windows System Web folder Repair Tool Webfldrs. the msi components in the unloading time due to permission problems and an error, which POPs up a prompt window. In this case the thread is suspended, a new thread is created early will create a heap object, and just this object can be written, the attacker took advantage of this written opportunity to be ready for the ShellCode is written to this object, so execute your own ShellCode is. Note:the ShellCode is a set of can complete we want the function to machine code, these codes typically are based on the hex of the array exist in the form.
Combatelevation of Privilege
We will use this vulnerability for local elevation of Privilege the experimental and the remote elevation of privilege in the experiment.
First open a Command Prompt window, run the exploit tool and view the tool's instructions for use(Figure 1). From the figure we can see the vulnerability to use the tool instructions for use are very detailed, the tool may be according to the differentoperating systemto perform different commands.
In Windows 2 0 0 0(SP4)system, through our tool you can get an interactive Shell, and in other affected systems can only execute non-interactive commands. In Figure 1 shown in two sections execute the command, the previous parameters is the Webfldrs. msi components the installation path(eachoperating systemthe install path is different), the latter parameter is to execute the command. 1. A local elevation of Privilege operations
We first look at the use of COM remote buffer overflow vulnerability in the local operation.
In many of the specific environment of the computer(such as the school room, the public spaces in the computer), in order to prevent the user performs some operation, the computer Manager will be on computer usage rights to be limited, such as can only read existing files, not create new files, etc. However, through this vulnerability, we may have a function to limit the account's permissions elevated to the highest administrator permissions.
First with an ordinary user identity for login(non-administrator).
Today, we perform a local elevation of Privilege system is Windows 2 0 0 0, here we have to operate. Run“cmd”command to open a Command Prompt window. The implementation of“c:\ms05012.exe "c:\windows\s
ystem32\webfldrs. msi" "cmd.exe"”command, the tool prompts the command is executed successfully after it will pop up a new command prompt window(Figure 2). In this window, we can perform all of the commands.
Since our account access has been improved, and now we can perform the administrator can execute all commands, including installing programs, view, change, or delete data, or create with full user permissions to the new account, and so on.
Local elevation of Privilege after the operation is completed, the following let's look at a remote elevation of Privilege.
A remote elevation of privilege in the hack of the invasion process is a very common operation, because the hacker in order to be able to fully control the remote computer, you must have a very high-privileged user account.
The first use of NC to get a remote computer's Shell, of course, this Shell of permissions is limited. Now we run the elevated command“ms05012.exe "c:\windows\system32\webfldrs.msi" "net localgroup administrators yonghu /add"”with. When the tooltip command is executed successfully, we got a name for the“yonghu”administrator account.
Here to remind everyone about it, regardless of whether the remote system is and what version you do not perform and activate the“cmd.exe”it. Because if you run this command, it will be in the remote computer's desktop to bring up a Command Prompt window, this will cause the remote user alert. At the same time, the execution of the command is not too long, generally download the file, add the user these commands can be successfully executed.
The reason we want to conduct a remote elevated operation, mainly in order to be able to upload some having a remote control function of the program, so that we can easily remote to control the system. A remote elevation of Privilege complete, we can use FTP command to upload our remote control program.
In order to prevent the vulnerability of the users of the system hazards, the user or quickly installed by Microsoft's vulnerability patch, so as to effectively prevent vulnerability to hazards.
Prevention methods:for this exploit to be preventive, the most simple is also the most secure way is to installed as soon as possible Microsoft introduced the security patch(download address:http://www. microsoft. com/china/technet/security/bulletin/ms05-0 1 2. mspx) is.
Tip:what are the permissions
In the computer of the application process, we often can see the“permissions”of the word, especially Windows 2 0 0 0/XP are more and more users use later. What exactly is permission? The Windows System of privileges is based on the different levels of user rights allocation and limitations of the method. In Windows 2 0 0 0/XP system, the permissions are divided into seven categories, including:full control, modify, read and run, List Folder Contents, read, write, special permissions. Wherein the full control including the six other permissions, as long as it is equal to the simultaneously with six other permissions in the system, only administrators have thus the highest authority.