Microsoft Windows是微软发布的非常流行的操作系统。
Windows XP Service Pack 1对一些Windows服务的访问权限设置存在漏洞,本地攻击者可能利用此漏洞在主机上提升自己的权限。
默认下Windows XP Service Pack 1上的一些Windows服务(SSDPSRV、NetBT、UPnPHost、ScardSvr、DHCP和DnsCache)所设置的权限级别可能允许低特权用户更改与该服务关联的属性;Windows 2003上的一些服务(NetBT、DnsCache和DHCP)所设置的权限级别可能允许属于Network Configuration Operators组的用户更改与该服务关联的属性。仅目标计算机上网络操作员组的成员可以远程攻击Windows Server2003,此组默认下不包含任何用户。该漏洞可能允许具有有效的登录凭据的用户完全控制Microsoft Windows XP Service Pack 1上的系统。
Microsoft Windows XP SP1
Microsoft Windows Server 2003
临时解决方法:
* 使用sc.exe命令修改识别出的有漏洞服务的访问控制:
对于Windows XP Service Pack 1,运行以下命令。每个命令都修改了与受影响服务相关的DACL。
sc sdset ssdpsrv D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;LS)
sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)
sc sdset upnphost
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;LS)
sc sdset scardsvr D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)
sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
对于Windows Server 2003,运行以下命令。每个命令都修改了与受影响服务相关的DACL。
sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
注意:对于Windows Server 2003,仅有NetBT、DnsCache和DHCP是受影响的服务。在Windows Server 2003的攻击情况下,攻击必须是由Network Configuration Operators组成员发起的。默认下这个组是空的。
* 使用组策略为识别出的服务部署修改的访问控制。
域管理员可使用组策略和安全模板向Windows XP Service Pack 1系统部署修改过的访问控制。
对于Windows XP Service Pack 1,使用以下安全模板修改Upnphost、SCardSvr、SSDPSRV、DnsCache和DHCP服务。
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
SSDPSRV,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;S-1-5-19)"
upnphost,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;S-1-5-19)"
scardsvr,2,"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-19)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)"
dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
对于Windows Server 2003,使用以下安全模板修改DnsCache和DHCP服务。
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
注意:对于Windows XP Service Pack 1和Windows Server 2003,不支持使用Microsoft组策略对象编辑器更改NetBT服务的服务DACL。因此,安全模板没有包含Windows Server 2003的NetBT服务DACL更改。
注意:对于Windows Server 2003,仅有NetBT、DHCP和DnsCache是所识别出的受影响服务。在Windows Server 2003的攻击情况下,攻击必须是由Network Configuration Operators组成员发起的。默认下这个组是空的。
* 修改每个所识别出服务的Windows注册表以修改访问控制。
服务修改的首选方法是使用sc.exe命令。但是,也可使用以下命令将受影响服务的安全DACL修改为Windows XP Service Pack 2相同的级别。建议用户在进行任何修改之前备份注册表。
对于Windows XP Service Pack 1,修改以下注册表项更改默认的Windows XP Service Pack 1受影响服务.
SSDPSRV服务:
reg add HKLM\System\CurrentControlSet\Services\SSDPSRV\Security /v Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_
0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b000000000014007000020001010000000000051300_
0000010100000000000512000000010100000000000512000000
NetBT服务:
reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_
0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_
5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_
00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000
UPnPHost服务:
reg add HKLM\System\CurrentControlSet\Services\upnphost\Security /v Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_
0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b000000000014008f01020001010000000000051300_
0000010100000000000512000000010100000000000512000000
ScardSvr服务:
reg add HKLM\System\CurrentControlSet\Services\scardsvr\Security /v Security /t REG_BINARY /d _
01001480a4000000b0000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
000020074000500000000001400fd01020001010000000000051200000000001400fd010200010100000000000513_
00000000001800ff010f000102000000000005200000002002000000001800ff010f0001020000000000052000000_
025020000000014009d01020001010000000000020000000001010000000000051200000001010000000000051200_
0000
DHCP服务:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dhcp\security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020060000_
4000000000014008D01020001010000000000050B00000000001800FD010200012000000000005200000002C02000000001800FF_
010F00010200000000005200000002002000000001400FD010200010100000000000512000000101000000000005120000000101_
00000000000512000000
DnsCache服务:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dnscache\security /v Security /t REG_BINARY /d_
01001480A8000000B4000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020078000500_
0000000014008D01020001010000000000050B000000000018009D010200012000000000005200000002302000000001800FD010200_
010200000000005200000002C02000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000_
00051200000001010000000000512000000010100000000000512000000
对于Windows Server 2003,修改以下注册表项以更改默认的Windows Server 2003受影响服务。
NetBT服务:
reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_
0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_
5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_
00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000
DHCP服务:
reg add HKLM\System\CurrentControlSet\Services\dhcp\Security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_
000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_
000000051200000010100000000000512000000010100000000000512000000
DnsCache服务:
reg add HKLM\System\CurrentControlSet\Services\dnscache\Security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_
000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_
000000051200000010100000000000512000000010100000000000512000000
注意:出于可读性考虑,这些注册表项值中插入了“_”符号和回车。请删除该字符和回车以正确的执行命令。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS06-011)以及相应补丁:
MS06-011:Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)
链接:http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx
匿名 兑换漏洞详情
京公网安备 11010502034610号
暂无评论