Microsoft's. NET component has a serious overflow vulnerability, as long as it is installed. NET component's operating system is affected by this vulnerability. That is to say, the Windows XP, Win7 system that we use the most, and the Windows 2003,winodws 2008 that the Web server uses most are not spared. So what does this loophole mean for hackers? What kind of turmoil will the cyber-security industry set off? Please read this article.
★ Edit Hint: The harm of local privilege elevation
This. NET burst of overflow vulnerability does not remotely execute code, but only local overflow, overflow can get the system administrator rights. To put it simply: This is a local privilege elevation vulnerability. So what is the local privilege elevation vulnerability?
In our windows, there is the concept of "permission". In addition to the administrator privileges we normally use, there is also a user right. As the name implies, the user rights must be lower than the administrator rights, can perform the operation is certainly less than the administrator, for example, can not change the system settings, can not install software, can not create users. For hackers, if the target account is the user rights, then he uploaded the Trojan will not be able to run (Trojans need to modify the system settings), the hand of fat to eat not to say how painful.
Privilege elevation vulnerability But just help hackers a very busy, hackers can through this loophole will be the original user rights account for the system administrator, so that account creation, installation Trojans and other operations. For Web servers, the local privilege elevation vulnerability is a disaster. Because hackers in the use of Web site procedures to get the Webshell of the server, only ordinary user rights, only the files in the Web site operation, can not affect the security of the server. With the local privilege elevation vulnerability, he can get the server permissions to invade the entire server.
0day vulnerabilities are generally published by some hacker bulls, and they also publish the code used to test vulnerabilities while they are being published. This. NET overflow vulnerabilities, they published the attack code, but did not provide a ready-made attack procedures, then in this case we can only compile ourselves, we can also see how the 0day attack program was born.
Because the test code for this vulnerability is written in C, we need to use the Cygwin (C language Code compilation tool) for compiling. Cygwin can be downloaded online, about 200 m in size. Run Setup, the first step is to select "Install from the local Directory", the next few steps to keep the default, until the last step, we need to set its installation parameters to "Install", so that the Cygwin fully installed, otherwise You will not be able to use the GCC compilation feature.
▲ Installation Cygwin
Once the installation is complete, we enter its installation directory, and in the home directory there is a folder named after the current user name, and we can put the overflow code into it and compile it. Place the overflow code (from the online copy code in Notepad) test.c into this folder. Then run the Cygwin.bat in the installation directory, and there will be a cygwin.bat interface in which to enter "Gcc-o test.exe test.c", A carriage return will generate Test.exe in this folder of the home username, so that the process of compiling the attack is complete.
▲ Test Attack Program
Once the compilation is complete, we will test the overflow program. The test method is very simple, first of all, we login the system with User rights account, then run test.exe in the command prompt, the program will add a name "Servicehelper" in the system, the password is "ilov3coff33!" Administrator user. Then we can use this account to log in, so as to get the system administrator privileges.
▲ Admin rights account has been established successfully