Go straight to Microsoft. NET Local Privilege Escalation Vulnerability

 

Microsoft's. NET component has a severe overflow vulnerability. Any operating system installed with the. NET component will be affected by this vulnerability. That is to say, Windows XP, Windows 7, Windows 2003, and Winodws 2008, which are the most widely used website servers, cannot be spared. So what does this vulnerability mean for hackers? What kind of storm will the network security community face? Read this article.

 

★Edit prompt: Hazards of local permission elevation

 

This. NET overflow vulnerability does not allow remote code execution, but only local overflow. The system administrator privilege can be obtained after the vulnerability exists. To put it simply, this is a local privilege escalation vulnerability. So what are the risks of Local Privilege Escalation Vulnerabilities?

 

In Windows, we have the concept of "permission. In addition to the administrator permissions we usually use, there is also a user permission. As the name suggests, user permissions must be lower than administrator permissions, and the operations that can be performed must be less than administrator permissions. For example, you cannot change system settings, install software, or create users. If a hacker obtains the target account as a user, the uploaded Trojan cannot run (the trojan needs to modify the system settings ), the fat meat in the hand cannot be eaten, not to mention how painful it is.

 

The privilege escalation vulnerability has helped hackers a lot. By exploiting this vulnerability, hackers can escalate their original user-privilege accounts to system administrators to create accounts and install trojans. For website servers, the local privilege escalation vulnerability is a disaster. After hackers obtain the webshell of the server by exploiting the vulnerabilities of website programs, they only have common user permissions and can only operate files on the website, which cannot affect the security of the server. By exploiting the Local Privilege Escalation Vulnerability, he can gain the server privilege and intrude into the entire server.

 

0-day vulnerabilities are generally published by some hackers, who also release the code used to test the vulnerabilities. This time. the same is true for the NET overflow vulnerability. They published the attack code but did not provide ready-made attack programs. In this case, we can only compile the program by ourselves, we can also take a look at how the 0-day attack program was born.

 

Because the test code for this vulnerability is written in C language, we need to use cygwin (C language code compilation tool) for compilation. Cygwin can be downloaded from the Internet. The size is about 200 MB. Run the installer. Select "Install from Local Directory" as the first step, and keep the default value as the next step. We need to set the installation parameter to "Install" until the last step ", in this way, cygwin can be fully installed; otherwise, the GCC compilation function in cygwin cannot be used.

 

▲Install cygwin

 

After the installation is complete, go to the installation directory. There is a folder named after the current user name under the home Directory. We can put the overflow program code into it for compilation. Put the overflow program code (copy the code from the Internet and save it with notepad) test. c in this folder. Then run cygwin in the installation directory. bat, cygwin. in the bat operation interface, enter "gcc-o test.exe test. c ". After you press enter, test.exe will be generated in the home USERNAME \ folder, so that the compilation of the attack program will be completed.

 

▲Test the attack program

 

After compilation, We will test the overflow program. The test environment is very simple. First, we use the user's account system, and then run test.exe in the script prompt. After running, the program will add a "ServiceHelper" name to the system and the password is "ILov3Coff33 !" . Next, we can use this account to log on and obtain the administrator privilege of the system.

 

 

 

▲The Administrator account has been created successfully.