Research on the vulnerability to improve the control of computer (graph) _

There is a security issue with the Windows COM structure that can be exploited by local or remote attackers to elevate privileges or execute arbitrary directives. The affected operating systems and programs have a privilege elevation vulnerability in the way of accessing shared memory when processing COM structured storage files, and a logged-on user can exploit the vulnerability to fully control the system.

Security bulletin Board

This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could fully control the affected system. An attacker can then install the program, view, change, or delete data, or create a new account with full user rights. To exploit this vulnerability, an attacker would have to be able to log on locally to the system and run the program.

The affected systems include Windows SP3, SP4, Windows XP (SP1, SP2), Windows 2003, and operating systems such as Windows 98. Office XP, Office 2003, and so on that use Windows OLE components can also be affected.

The formation principle of the loophole

Webfldrs.msi is a repair tool in the Windows System Web folder, and the Webfldrs.msi component has an error while uninstalling because of permissions issues, which pops up a prompt window. When the thread is suspended, the new thread creates a heap object at the beginning of the creation, and the right object can be written, and it is the opportunity for the attacker to write the prepared shellcode into the object to execute his own shellcode.

Tip: Shellcode is a set of machine code that can accomplish the functions we want, usually in the form of an array of 16.

The right to combat elevation

We will take advantage of this vulnerability for local privilege enhancement experiments and remote permission enhancement experiments.

First, open a command Prompt window, run the exploit tool and view the instructions for using the tool (Figure 1). From the diagram we can see that the exploit tool is very detailed, and that the tool can execute different commands depending on the operating system.



In the Windows SP4 system, we can get an interactive shell from the tool, and only non-interactive commands can be performed on other affected systems. In the two execution command shown in Figure 1, the previous parameter is the installation path for the Webfldrs.msi component (the installation path for each operating system is different), and the following parameter is the command to execute.

1. Local privilege elevation operation


Let's take a look at the use of COM remote buffer overflow vulnerabilities in local operations.

In many specific circumstances of the computer (such as the school room, the computer in public places), in order to prevent users to do certain operations, computer managers will be limited to the use of the computer, such as only read existing files, can not create new files. However, through this vulnerability, we can elevate the privileges of the account with limited functionality to the highest administrator privileges.

Log in as a normal user first (not administrator).

Today, our system for locally elevated privileges is Windows 2000, and we'll do the following. Run the cmd command to open a command prompt window. Execute "c:\ms05012.exe" c:\windows\s

Ystem32\webfldrs.msi the "cmd.exe" command, a new command Prompt window pops up after the ToolTip command has been successfully executed (Figure 2). In this window, we can execute all the commands.



Now that our account has been elevated, we can execute all the commands that the administrator can execute, including installing programs, viewing, changing or deleting data, or creating new accounts with full user rights, and so on.

2. Remote Permission Elevation operation

After the local Elevation permission operation is complete, let's take a look at how remote elevation permissions are performed.

Remote elevation privileges are a common operation in the hacking process, because hackers must have a user account with extremely high privileges in order to fully control the remote computer.

First use NC to get a remote computer shell, of course, the shell's permissions are limited. Now we run the elevated permission command "Ms05012.exe" C:\windows\system32\webfldrs.msi "" net localgroup Administrators Yonghu/add "". When the tooltip command was successfully executed, we got a admin account called "Yonghu".

Here to remind you, no matter what version of the remote system, you do not execute and activate the "cmd.exe". Because if you run this command, a command prompt window pops up on the desktop of the remote computer, causing the remote user to be alerted. At the same time, do not execute the command too long, the general download files, add users these commands can be successfully executed.

The reason we want to do the remote elevation of the operation, mainly in order to be able to upload some remote control functions of the program, so that we can easily control the remote system. After remote elevation permission is complete, we can upload our remote control program using FTP command.

In order to prevent this vulnerability to the user system harm, users or hurriedly installed by the Microsoft release of the vulnerability patch, so as to effectively prevent the harm of vulnerabilities.

Guard method: The easiest and safest way to guard against this vulnerability is to install the Microsoft Security patch (Download address: http://www.microsoft.com/china/technet/security/bulletin/ms05-012.mspx) as soon as possible.

Little knowledge: What is a privilege

　　In the process of computer application, we can often see the word "permission", especially when WINDOWS 2000/XP is used by more and more users. What exactly is a privilege? Permissions in Windows systems are methods of assigning and restricting rights to different levels of users. In WINDOWS 2000/XP systems, permissions are divided into seven categories, including full control, modification, reading and running, listing folder directories, reading, writing, and special permissions. Where full Control includes six other permissions, as long as owning it equals having six other permissions at the same time, only administrators have the highest privileges in the system.