NT RASMAN权限升级漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105545 漏洞类型 配置错误
发布时间 1999-09-17 更新时间 2006-04-19
CVE编号 CVE-1999-0886 CNNVD-ID CNNVD-199909-036
漏洞平台 Windows CVSS评分 9.0
|漏洞来源
https://www.exploit-db.com/exploits/19502
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-036
|漏洞详情
RASMAN安全描述符存在漏洞。用户可以借助WindowsNT服务控制管理器指向备用位置。
|漏洞EXP
source: http://www.securityfocus.com/bid/645/info

Any authenticated NT user (ie domain user) can modify the pathname for the RASMAN binary in the Registry. The next time the RAS Service is started, the (trojan) service referenced by the RASMAN pathname will be executed with system privileges. This trojan service may allow the User to execute commands on the target server as an administrator, including elevating the privileges of their own account to that of Administrator. A modified (UNC) pathname may be used to point to an executable existing on another host on the network. 

19502-1.exe <binary pathname> will modify the RASMAN/ImagePath key in the Registry with the service executable to be run in its place. 19502-2.exe (author supplied) is a sample trojan service that may be run. This executable runs a service which launches a netcat listener on tcp port 123. (nc -d -L -p 123 -e cmd.exe). (This service may or may not run with errors.) 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19502-1.exe

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19502-2.exe
|参考资料

来源:BID
名称:645
链接:http://www.securityfocus.com/bid/645
来源:MS
名称:MS99-041
链接:http://www.microsoft.com/technet/security/bulletin/ms99-041.mspx
来源:MSKB
名称:Q242294
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q242294