Search...

Microsoft DebugView Dbgv.sys内核模块本地权限升漏洞

2007-11-08T00:00:00

ID SSV:2396
Type seebug
Reporter Root
Modified 2007-11-08T00:00:00

Description

BUGTRAQ ID: 26359 CVE(CAN) ID: CVE-2007-4223

DebugView允许用户监控本地系统或可通过TCP/IP访问的网络中计算机上的调试输出。

DebugView所加载的Dbgv.sys内核模块中的功能可能允许将用户提供的数据拷贝到内核中可控的地址，这样恶意用户就可以向运行的内核中注入任意代码。

如果要利用这个漏洞，管理员必须加载DebugView，这样才会将Dbgv.sys驱动加载到内核，然后所有用户在系统重启之前都可以访问有漏洞的内核模块。

Microsoft DebugView 4.64 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

<a href="http://download.sysinternals.com/Files/DebugView.zip" target="_blank">http://download.sysinternals.com/Files/DebugView.zip</a>

JSON Vulners Source

Initial Source

{"sourceData": "", "status": "details", "history": [], "description": "BUGTRAQ ID: 26359\r\nCVE(CAN) ID: CVE-2007-4223\r\n\r\nDebugView\u5141\u8bb8\u7528\u6237\u76d1\u63a7\u672c\u5730\u7cfb\u7edf\u6216\u53ef\u901a\u8fc7TCP/IP\u8bbf\u95ee\u7684\u7f51\u7edc\u4e2d\u8ba1\u7b97\u673a\u4e0a\u7684\u8c03\u8bd5\u8f93\u51fa\u3002\r\n\r\nDebugView\u6240\u52a0\u8f7d\u7684Dbgv.sys\u5185\u6838\u6a21\u5757\u4e2d\u7684\u529f\u80fd\u53ef\u80fd\u5141\u8bb8\u5c06\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u62f7\u8d1d\u5230\u5185\u6838\u4e2d\u53ef\u63a7\u7684\u5730\u5740\uff0c\u8fd9\u6837\u6076\u610f\u7528\u6237\u5c31\u53ef\u4ee5\u5411\u8fd0\u884c\u7684\u5185\u6838\u4e2d\u6ce8\u5165\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n\u5982\u679c\u8981\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u7ba1\u7406\u5458\u5fc5\u987b\u52a0\u8f7dDebugView\uff0c\u8fd9\u6837\u624d\u4f1a\u5c06Dbgv.sys\u9a71\u52a8\u52a0\u8f7d\u5230\u5185\u6838\uff0c\u7136\u540e\u6240\u6709\u7528\u6237\u5728\u7cfb\u7edf\u91cd\u542f\u4e4b\u524d\u90fd\u53ef\u4ee5\u8bbf\u95ee\u6709\u6f0f\u6d1e\u7684\u5185\u6838\u6a21\u5757\u3002\r\n\n\nMicrosoft DebugView 4.64\n \u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=\"http://download.sysinternals.com/Files/DebugView.zip\" target=\"_blank\">http://download.sysinternals.com/Files/DebugView.zip</a>", "sourceHref": "", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-2396", "type": "seebug", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "viewCount": 1, "references": [], "lastseen": "2017-11-19T21:55:23", "published": "2007-11-08T00:00:00", "objectVersion": "1.4", "cvelist": ["CVE-2007-4223"], "id": "SSV:2396", "enchantments_done": [], "modified": "2007-11-08T00:00:00", "title": "Microsoft DebugView Dbgv.sys\u5185\u6838\u6a21\u5757\u672c\u5730\u6743\u9650\u5347\u6f0f\u6d1e", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4223"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18365", "SECURITYVULNS:VULN:8324"]}, {"type": "osvdb", "idList": ["OSVDB:38496"]}, {"type": "kaspersky", "idList": ["KLA10263"]}], "modified": "2017-11-19T21:55:23"}, "vulnersScore": 5.0}, "_object_type": "robots.models.seebug.SeebugBulletin"}

{"cve": [{"lastseen": "2017-07-29T11:22:11", "bulletinFamily": "NVD", "description": "Dbgv.sys in Microsoft Sysinternals DebugView before 4.72 provides an unspecified mechanism for copying data into kernel memory, which allows local users to gain privileges via unspecified vectors.", "modified": "2017-07-28T21:32:47", "published": "2007-11-08T06:46:00", "id": "CVE-2007-4223", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4223", "title": "CVE-2007-4223", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:24", "bulletinFamily": "software", "description": "iDefense Security Advisory 11.06.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nNov 06, 2007\r\n\r\nI. BACKGROUND\r\n\r\nDebugView is a system analysis tool designed to display debug messages\r\nbeing generated on the system. More information is available on the\r\nvendor's site at the following URL.\r\n\r\nhttp://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of a design error vulnerability in Microsoft's\r\nDebugView could allow attackers to execute arbitrary kernel code.\r\n\r\nAs part of its design, DebugView loads a kernel module Dbgv.sys. This\r\nmodule includes functionality that can be abused to copy user supplied\r\ndata into the kernel, to controlled addresses. This allows malicious\r\nusers to inject arbitrary code into the running kernel.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows attackers to modify the kernel, resulting in the\r\narbitrary execution of code in kernel context.\r\n\r\nIn order to exploit this vulnerability, an administrator must launch the\r\nDebugView application, which will load the Dbgv.sys driver into the\r\nkernel. Once loaded, the vulnerable kernel module will be accessible by\r\nall users, and will remain loaded until the system is rebooted.\r\n\r\nIV. DETECTION\r\n\r\niDefense confirmed the existence of this vulnerability in Microsoft\r\nDebugView version 4.64. The specific file version of Dbgv.sys is\r\n4.60.0.0. This file is deleted automatically after being loaded and\r\nwill not be found on disk. Previous versions are suspected to be\r\nvulnerable as well.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any effective workaround for this\r\nissue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft Sysinternals has addressed this vulnerability by releasing\r\nversion 4.72 of DebugView. For more information, visit the following\r\nURL.\r\n\r\nhttp://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-4223 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n08/21/2007 Initial vendor notification\r\n08/21/2007 Initial vendor response\r\n11/06/2007 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was reported to VeriSign iDefense by Stephen Fewer of\r\nHarmony Security (www.harmonysecurity.com)\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "modified": "2007-11-07T00:00:00", "published": "2007-11-07T00:00:00", "id": "SECURITYVULNS:DOC:18365", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18365", "title": "iDefense Security Advisory 11.06.07: Microsoft DebugView Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "description": "Dbgv.sys Driver allows any user to copy any data in kernel memory.", "modified": "2007-11-07T00:00:00", "published": "2007-11-07T00:00:00", "id": "SECURITYVULNS:VULN:8324", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8324", "title": "Microsoft Sysinternals DebugView privilege escalation", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-02-15T12:34:18", "bulletinFamily": "info", "description": "### *Detect date*:\n11/08/2007\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in DebugView. By exploiting this vulnerability malicious users can gain privileges. This vulnerability can be exploited locally at an unknown point.\n\n### *Affected products*:\nMicrosoft Sysinternals DebigView versions 4.71 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft DebugView](<https://threats.kaspersky.com/en/product/Microsoft-DebugView/>)\n\n### *CVE-IDS*:\n[CVE-2007-4223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4223>)", "modified": "2019-02-13T00:00:00", "published": "2007-11-08T00:00:00", "id": "KLA10263", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10263", "title": "\r KLA10263LPE vulnerability in DebugView ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018903\n[Secunia Advisory ID:27552](https://secuniaresearch.flexerasoftware.com/advisories/27552/)\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=621\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-11/0093.html\nISS X-Force ID: 38292\nFrSIRT Advisory: ADV-2007-3756\n[CVE-2007-4223](https://vulners.com/cve/CVE-2007-4223)\nBugtraq ID: 26359\n", "modified": "2007-11-06T18:48:09", "published": "2007-11-06T18:48:09", "href": "https://vulners.com/osvdb/OSVDB:38496", "id": "OSVDB:38496", "title": "Microsoft Sysinternals DebugView Dbgv.sys Local Privilege Escalation", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}