It is said that there are security issues with Windows COM structures, and local or remote attackers can use this vulnerability to enhance privileges or execute arbitrary instructions. A logged-in user can take advantage of the system and program to fully control the system when handling COM structured storage files.
Safety Billboard
This is a permission escalation vulnerability. An attacker who successfully exploits this vulnerability has complete control over the affected system. The attacker can then install the program; view, change, or delete data; or create a new account with full user rights. To exploit this vulnerability, an attacker must be able to log in to the system locally and run the program.
Affected systems include: Windows 2000 (SP3, SP4), Windows XP (SP1, SP2), Windows 2003, and Windows 98 and other operating systems. Office XP, Office 2003 and other office software that use Windows OLE components will also be affected.
The principle of the formation of vulnerabilities
It is a repair tool in the Windows system Web folder. When the component is uninstalled, an error occurred due to permission problems, and a prompt window pops up. At this time, the thread is suspended, and a heap object will be created in the early stage of creating a new thread, and this object can be written. The attacker takes advantage of this writing opportunity to write the prepared ShellCode to this object, thereby executing his own ShellCode.
Tip: ShellCode is a set of machine code that can accomplish the functions we want, which usually exist in hexadecimal arrays.
Improve permissions in practice
We will use this vulnerability to perform local permission enhancement experiments and remote permission enhancement experiments.
First open a command prompt window, run the exploit tool and view the instructions for using the tool (Figure 1). From the figure we can see that the instructions for using this exploit tool are very detailed, which can execute different commands according to different operating systems.
In Windows 2000 (SP4) system, we can get an interactive shell through tools, while in other affected systems, we can only execute non-interactive commands. In the two execution commands shown in Figure 1, the first parameter is the installation path of the component (the installation path of each operating system is different), and the subsequent parameter is the command to be executed.
1. Local permission enhancement operation
Let’s first look at the local operation using the COM remote buffer overflow vulnerability.
In many computers in specific environments (such as computers in school rooms and public places), in order to prevent users from performing certain operations, computer managers will restrict the computer's usage rights, such as only reading existing files, not creating new files, etc. However, through this vulnerability, we can increase the permissions of functionally restricted accounts to the highest administrator privileges.
First, log in with the identity of an ordinary user (non-administrator).
Today, the system where we are raising permissions locally is Windows 2000, so we will do it now. Run the "cmd" command to open a command prompt window. Execute "c:\ "c:\windows\s
ystem32\" "" command. After the tooltip command is successfully executed, a new command prompt window will pop up (Figure 2). In this window, we can execute all the commands.
Now that our account permissions have been improved, we can now execute all the commands that the administrator can execute, including installing the program, viewing, changing or deleting data, or creating a new account with full user permissions, etc.
2. Remote permission enhancement operation
After the local privilege escalation operation is completed, let’s take a look at how remote privilege escalation is performed.
Remote escalation of permissions is a common operation during hackers' invasion, because in order to have full control of remote computers, hackers must have a user account with extremely high permissions.
First, use NC to get a shell of a remote computer. Of course, the permissions of this shell are limited. Now we will run the elevated permission command " "c:\windows\system32\" "net localgroup administrators yonghu /add"". When the tooltip command is successfully executed, we get an administrator account named "yonghu".
Here I would like to remind everyone that no matter what version of the remote system is, you should not execute and activate "". Because if this command is run, a command prompt window will pop up on the desktop of the remote computer, which will arouse the alertness of the remote user. At the same time, the commands executed should not be too long. Ordinary commands such as downloading files and adding users can be successfully executed.
The reason why we need to remotely increase permissions is mainly to upload some programs with remote control functions, so that we can easily control the remote system. After the remote elevation of permissions is completed, we can use the FTP command to upload our remote control program.
In order to prevent the vulnerability from harming the user system, the user should quickly install the vulnerability patch launched by Microsoft to effectively prevent the harm of the vulnerability.
Prevention method: The easiest and most secure way to prevent this vulnerability is to install the security patch launched by Microsoft as soon as possible (download address: /china/technet/security/bulletin/ ).
Tips: What is permission?
During the application process of computers, we can often see the word "permission", especially after Windows 2000/XP is used by more and more users. What exactly is permission? Permissions in Windows system are methods to allocate and restrict rights based on users of different levels. In Windows 2000/XP system, permissions are mainly divided into seven categories, including: full control, modification, reading and running, listing folder directories, reading, writing, and special permissions. Among them, full control includes the other six permissions. As long as you have it, it is equivalent to having the other six permissions at the same time. Only administrators have such highest permissions in the system.
Safety Billboard
This is a permission escalation vulnerability. An attacker who successfully exploits this vulnerability has complete control over the affected system. The attacker can then install the program; view, change, or delete data; or create a new account with full user rights. To exploit this vulnerability, an attacker must be able to log in to the system locally and run the program.
Affected systems include: Windows 2000 (SP3, SP4), Windows XP (SP1, SP2), Windows 2003, and Windows 98 and other operating systems. Office XP, Office 2003 and other office software that use Windows OLE components will also be affected.
The principle of the formation of vulnerabilities
It is a repair tool in the Windows system Web folder. When the component is uninstalled, an error occurred due to permission problems, and a prompt window pops up. At this time, the thread is suspended, and a heap object will be created in the early stage of creating a new thread, and this object can be written. The attacker takes advantage of this writing opportunity to write the prepared ShellCode to this object, thereby executing his own ShellCode.
Tip: ShellCode is a set of machine code that can accomplish the functions we want, which usually exist in hexadecimal arrays.
Improve permissions in practice
We will use this vulnerability to perform local permission enhancement experiments and remote permission enhancement experiments.
First open a command prompt window, run the exploit tool and view the instructions for using the tool (Figure 1). From the figure we can see that the instructions for using this exploit tool are very detailed, which can execute different commands according to different operating systems.
In Windows 2000 (SP4) system, we can get an interactive shell through tools, while in other affected systems, we can only execute non-interactive commands. In the two execution commands shown in Figure 1, the first parameter is the installation path of the component (the installation path of each operating system is different), and the subsequent parameter is the command to be executed.
1. Local permission enhancement operation
Let’s first look at the local operation using the COM remote buffer overflow vulnerability.
In many computers in specific environments (such as computers in school rooms and public places), in order to prevent users from performing certain operations, computer managers will restrict the computer's usage rights, such as only reading existing files, not creating new files, etc. However, through this vulnerability, we can increase the permissions of functionally restricted accounts to the highest administrator privileges.
First, log in with the identity of an ordinary user (non-administrator).
Today, the system where we are raising permissions locally is Windows 2000, so we will do it now. Run the "cmd" command to open a command prompt window. Execute "c:\ "c:\windows\s
ystem32\" "" command. After the tooltip command is successfully executed, a new command prompt window will pop up (Figure 2). In this window, we can execute all the commands.
Now that our account permissions have been improved, we can now execute all the commands that the administrator can execute, including installing the program, viewing, changing or deleting data, or creating a new account with full user permissions, etc.
2. Remote permission enhancement operation
After the local privilege escalation operation is completed, let’s take a look at how remote privilege escalation is performed.
Remote escalation of permissions is a common operation during hackers' invasion, because in order to have full control of remote computers, hackers must have a user account with extremely high permissions.
First, use NC to get a shell of a remote computer. Of course, the permissions of this shell are limited. Now we will run the elevated permission command " "c:\windows\system32\" "net localgroup administrators yonghu /add"". When the tooltip command is successfully executed, we get an administrator account named "yonghu".
Here I would like to remind everyone that no matter what version of the remote system is, you should not execute and activate "". Because if this command is run, a command prompt window will pop up on the desktop of the remote computer, which will arouse the alertness of the remote user. At the same time, the commands executed should not be too long. Ordinary commands such as downloading files and adding users can be successfully executed.
The reason why we need to remotely increase permissions is mainly to upload some programs with remote control functions, so that we can easily control the remote system. After the remote elevation of permissions is completed, we can use the FTP command to upload our remote control program.
In order to prevent the vulnerability from harming the user system, the user should quickly install the vulnerability patch launched by Microsoft to effectively prevent the harm of the vulnerability.
Prevention method: The easiest and most secure way to prevent this vulnerability is to install the security patch launched by Microsoft as soon as possible (download address: /china/technet/security/bulletin/ ).
Tips: What is permission?
During the application process of computers, we can often see the word "permission", especially after Windows 2000/XP is used by more and more users. What exactly is permission? Permissions in Windows system are methods to allocate and restrict rights based on users of different levels. In Windows 2000/XP system, permissions are mainly divided into seven categories, including: full control, modification, reading and running, listing folder directories, reading, writing, and special permissions. Among them, full control includes the other six permissions. As long as you have it, it is equivalent to having the other six permissions at the same time. Only administrators have such highest permissions in the system.