Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
BID:2341
Info
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
| Bugtraq ID: | 2341 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Feb 05 2001 12:00AM |
| Updated: | Feb 05 2001 12:00AM |
| Credit: | Discovered by DilDog <[email protected]> and posted in a Microsoft Security Bulletin (MS01-007) on Feb 5, 2001. |
| Vulnerable: |
Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Citrix MetaFrame |
| Not Vulnerable: | |
Discussion
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
Network DDE (Dynamic Data Exchange) allows processes to communicate information across a network via a trusted share. An IPC window (Network DDE Agent) enables communication between processes. Using a command function such as WM_COPYDATA, it is possible for a message to be sent through the Net DDE Agent to a trusted share with a process associated with that share. Unfortunately NetDDE Agent runs in the LOCAL SYSTEM context, therefore a local user can specify arbitrary code to be run at SYSTEM privileges.
Network DDE (Dynamic Data Exchange) allows processes to communicate information across a network via a trusted share. An IPC window (Network DDE Agent) enables communication between processes. Using a command function such as WM_COPYDATA, it is possible for a message to be sent through the Net DDE Agent to a trusted share with a process associated with that share. Unfortunately NetDDE Agent runs in the LOCAL SYSTEM context, therefore a local user can specify arbitrary code to be run at SYSTEM privileges.
Exploit / POC
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
The following exploit has been provided by @stake:
http://www.atstake.com/research/advisories/2001/netddemsg.cpp
The following exploit has been provided by @stake:
http://www.atstake.com/research/advisories/2001/netddemsg.cpp
Solution / Fix
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
Solution:
Microsoft has released a patch which rectifies this issue:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Server
Solution:
Microsoft has released a patch which rectifies this issue:
Microsoft Windows 2000 Professional
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Microsoft Windows 2000 Server SP1
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Microsoft Windows 2000 Advanced Server
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Microsoft Windows 2000 Professional SP1
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
Microsoft Windows 2000 Server
-
Microsoft Q285851
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
References
Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
References:
References:
- Microsoft Security Bulletin (MS01-007) (Microsoft)
- Microsoft Security Bulletin (MS01-007): Frequently Asked Questions (Microsoft)
- NetDDE Message Vulnerability (@stake)