Microsoft Windows AEDEBUG注册表钥漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105744 漏洞类型 未知
发布时间 2000-03-09 更新时间 2006-04-19
CVE编号 CVE-1999-1084 CNNVD-ID CNNVD-199912-162
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19798
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-162
|漏洞详情
"AEDebug"注册表钥和不安全许可一起被安装,该漏洞使本地用户可以通过修改密钥来规定一个木马调试器,该调试器在系统死机时自动执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/1042/info


The registry value 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 

specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user.

Example: 

On a Domain Controller, a batch file containg the following commands:
--
net user attacker /add /domain
net group administrators attacker /add /domain
--
could be put into the folder c:\hackstartup.
Then the registry value 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 
could be set to the string "c:\hackstartup".
The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.
|参考资料

来源:BID
名称:1044
链接:http://www.securityfocus.com/bid/1044
来源:MS
名称:MS00-008
链接:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
来源:CIAC
名称:K-029
链接:http://www.ciac.org/ciac/bulletins/k-029.shtml
来源:MSKB
名称:Q103861
链接:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
来源:NTBUGTRAQ
名称:19980622Yetanother"getyourselfadminrightsexploit":
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2