Vulnerabilities > CVE-2002-0367 - Unspecified vulnerability in Microsoft Windows 2000 and Windows NT

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 2002-06-25
Updated: 2024-07-16

Summary

smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Exploit-Db

descriptionMicrosoft Windows 2000 / NT 4.0 Process Handle Local Privilege Elevation Vulnerability. CVE-2002-0367. Local exploit for windows platform
idEDB-ID:21344
last seen2016-02-02
modified2002-03-13
published2002-03-13
reporterEliCZ
sourcehttps://www.exploit-db.com/download/21344/
titleMicrosoft Windows 2000 / NT 4.0 - Process Handle Local Privilege Elevation Vulnerability

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS02-024.NASL
descriptionThe remote host contains a flaw in the Windows Debugger that could allow a local user to elevate his privileges. To exploit this vulnerability, a user needs to send a specially crafted code to the Debbuging handler to execute arbitrary code with SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id10964
published2002-05-23
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10964
titleMS02-024: Windows Debugger flaw can Lead to Elevated Privileges (320206)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10964);
 script_version("1.40");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2002-0367");
 script_bugtraq_id(4287);
 script_xref(name:"MSFT", value:"MS02-024");
 script_xref(name:"MSKB", value:"320206");

 script_name(english:"MS02-024: Windows Debugger flaw can Lead to Elevated Privileges (320206)");
 script_summary(english:"Checks for MS Hotfix Q320206, Elevated Privilege");

 script_set_attribute(attribute:"synopsis", value:"A local user can elevate his privileges.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a flaw in the Windows Debugger that could
allow a local user to elevate his privileges.

To exploit this vulnerability, a user needs to send a specially crafted
code to the Debbuging handler to execute arbitrary code with SYSTEM
privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-024");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT and 2000.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/05/22");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/05/23");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS02-024';
kb = '320206';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.0", file:"Smss.exe", version:"5.0.2195.5695", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Smss.exe", version:"4.0.1381.7152", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2018-09-11T10:00:00.000-05:00
    classvulnerability
    contributors
    • nameTiffany Bergeron
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionsmss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.
    familywindows
    idoval:org.mitre.oval:def:158
    statusaccepted
    submitted2003-04-04T12:00:00.000-04:00
    titleWindows NT Process Handle Duplication Privilege Escalation
    version70
  • accepted2011-05-16T04:03:26.169-04:00
    classvulnerability
    contributors
    • nameTiffany Bergeron
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionsmss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.
    familywindows
    idoval:org.mitre.oval:def:76
    statusaccepted
    submitted2003-04-04T12:00:00.000-04:00
    titleWindows 2000 Process Handle Duplication Privilege Escalation
    version69

References