|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Vitaly Chekryzhev 2:5011/214.33 07 Jul 2002 22:52:42
To : Kirill Usatov
Subject : w2k on lan
--------------------------------------------------------------------------------
02 Июл 86 12:07, Kirill Usatov wrote to Vitaly Chekryzhev:
KU> а м-о по этому поводу где нить статейку пpочесть ?
=== Cut ===
DebPloit allows Everyone to get handle to Any process or thread.
Handles have enough access to promote everyone to system/admin (in
the case Target is running under LocalSystem, Administrator account).
Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
Former NTs weren't tested.
Discovered: Mar-09-2002.
Author: Radim "EliCZ" Picha. Bugs@EliCZ.cjb.net.
http://www.anticracking.sk/EliCZ.
Details: Exploit\DebPloit.h.
Principle: Ask debugging subsystem (lives in smss.exe) to create (duplicate)
handle(s) to Target for you:
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to DbgSsApiPort LPC port (ZwConnectPort).
Everyone has access to this port.
3. Ask dbgss to handle CreateProcess SsApi with client id
(or pid or tid only) of Target (ZwRequestPort).
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
(WaitForDebugEvent). Message contains duplicated handle(s).
5. When debugger's thread terminates (e.g. on logoff), Target
process
or thread is terminated too (like it was regularly debugged).
How MS will solve this problem:
*) Impersonate requesting thread (or client of port); try to open
Target
pid or tid; revert to self. If open failed, refuse
request/debugging/
duplication (csrss does it this way).
*) Put restrictions on DbgSsApiPort port : don't use WORLD SID, ..
[*) move dbgss to kernel like in Windows XP ;)]
I will tell you which solution MS used after the next hotfix or SP
will
be out.
How administrators can solve this problem:
*) Modify smss.exe file (one-byte change). See HotFix directory.
*) Hook NtConnectPort and refuse non-system/admin connections to
DbgSsApiPort.
*) Modify security descriptor of the port object in kernel memory,
...
Notes: It's interesting for how long (~6 years) was this "possibility"
available.
The "beauty" of this "exploit" is that it is supported by OS. No
overflows,
no buggy drivers, no invalid pointers, no syscalls, no patching.
EliCZ, Mar-11-2002
=== Cut ===
-= Vitaly =-
--- GoldED/W32 3.0.1
* Origin: VIRtUal Soft, WWW: http://virtualsoft.narod.ru (2:5011/214.33)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
w2k on lan |
Kirill Usatov |
01 Jul 2002 02:35:23 |
 w2k on lan |
Vitaly Chekryzhev |
02 Jul 2002 01:52:46 |
  w2k on lan |
Kirill Usatov |
05 Jul 2002 02:17:41 |
 w2k on lan |
Vitaly Chekryzhev |
06 Jul 2002 01:06:57 |
 w2k on lan |
Kirill Usatov |
06 Jul 2002 12:07:05 |
|
w2k on lan |
Vitaly Chekryzhev |
07 Jul 2002 22:52:42 |
|
w2k on lan |
Fedor Kudryashev |
08 Jul 2002 02:15:24 |
|
w2k on lan |
Kirill Usatov |
10 Jul 2002 22:11:19 |
|
w2k on lan |
Fedor Kudryashev |
06 Jul 2002 04:57:42 |
|
w2k on lan |
Kirill Usatov |
07 Jul 2002 02:15:00 |
|
w2k on lan |
Fedor Kudryashev |
08 Jul 2002 22:39:10 |
|
w2k on lan |
Kirill Usatov |
10 Jul 2002 22:57:09 |
|
w2k on lan |
Fedor Kudryashev |
13 Jul 2002 00:33:56 |
|
w2k on lan |
Fedor Kudryashev |
06 Jul 2002 03:34:20 |
|
w2k on lan |
Vitaly Chekryzhev |
06 Jul 2002 23:43:46 |
|
w2k on lan |
Fedor Kudryashev |
08 Jul 2002 02:08:38 |
|
w2k on lan |
Kirill Usatov |
07 Jul 2002 01:57:29 |
|
w2k on lan |
Fedor Kudryashev |
08 Jul 2002 22:13:42 |
|
w2k on lan |
Kirill Usatov |
10 Jul 2002 22:30:58 |
|
w2k on lan |
Fedor Kudryashev |
12 Jul 2002 23:41:24 |
|
|
