NT Spoolss.exe DLL嵌入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105594 漏洞类型 权限许可和访问控制
发布时间 1999-11-04 更新时间 2006-04-19
CVE编号 CVE-1999-0899 CNNVD-ID CNNVD-199911-018
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19594
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199911-018
|漏洞详情
WindowsNT4.0假脱机打印程序中存在漏洞。本地用户可以借助允许用户指定交替打印提供者的不当指令执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/769/info

The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). 

This exploit will crash the spooler service and copy a custom dll into c:\winnt\system32. When the spooler service is restarted, the custom dll is loaded and run at SYTEM level. The 'whoami' binary is run and the results logged in a text file for verification. If the target machine's NT directory is not the default c:\winnt, the program will have to be modified. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19594.zip
|参考资料

来源:BID
名称:769
链接:http://www.securityfocus.com/bid/769
来源:MS
名称:MS99-047
链接:http://www.microsoft.com/technet/security/bulletin/ms99-047.mspx
来源:MSKB
名称:Q243649
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q243649