Vulnerabilities > CVE-2002-1230 - Privilege Escalation vulnerability in Microsoft Windows 2000 and Windows 2000 Terminal Services

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 2002-11-04
Updated: 2019-04-30

Summary

NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."

Vulnerable Configurations

Part Description Count
OS
Microsoft
8

Exploit-Db

  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (1). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21684
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reportersectroyer
    sourcehttps://www.exploit-db.com/download/21684/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 1
  • descriptionMS Windows XP/2000/NT 4 NetDDE Privilege Escalation Vulnerability (2). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21923
    last seen2016-02-02
    modified2002-10-09
    published2002-10-09
    reporterSerus
    sourcehttps://www.exploit-db.com/download/21923/
    titleMicrosoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation Vulnerability 2
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (5). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21688
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterOliver Lavery
    sourcehttps://www.exploit-db.com/download/21688/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 5
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (3). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21686
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterBrett Moore
    sourcehttps://www.exploit-db.com/download/21686/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 3
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (7). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21690
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterOvidio Mallo
    sourcehttps://www.exploit-db.com/download/21690/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 7
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (2). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21685
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterOliver Lavery
    sourcehttps://www.exploit-db.com/download/21685/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 2
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (8). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21691
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporteranonymous
    sourcehttps://www.exploit-db.com/download/21691/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 8
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (4). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21687
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterBrett Moore
    sourcehttps://www.exploit-db.com/download/21687/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 4
  • descriptionMS Windows XP/2000/NT 4 NetDDE Privilege Escalation Vulnerability (1). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21922
    last seen2016-02-02
    modified2002-10-09
    published2002-10-09
    reporterSerus
    sourcehttps://www.exploit-db.com/download/21922/
    titleMicrosoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation Vulnerability 1
  • descriptionMS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (6). CVE-2002-1230. Local exploit for windows platform
    idEDB-ID:21689
    last seen2016-02-02
    modified2002-08-06
    published2002-08-06
    reporterBrett Moore
    sourcehttps://www.exploit-db.com/download/21689/
    titleMicrosoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability 6

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS02-071.NASL
descriptionThe remote version of Windows contains a flaw in the handling of WM_TIMER messages for interactive processes that could allow a local user to execute arbitrary code on the remote host with the SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id11191
published2002-12-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11191
titleMS02-071: WM_TIMER Message Handler Privilege Elevation (328310)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11191);
 script_version("1.42");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2002-1230");
 script_bugtraq_id(5927);
 script_xref(name:"MSFT", value:"MS02-071");
 script_xref(name:"MSKB", value:"328310");

 script_name(english:"MS02-071: WM_TIMER Message Handler Privilege Elevation (328310)");
 script_summary(english:"Checks Registry for WM_TIMER Privilege Elevation Hotfix (328310)");

 script_set_attribute(attribute:"synopsis", value:"Local users can elevate their privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a flaw in the handling of
WM_TIMER messages for interactive processes that could allow a local
user to execute arbitrary code on the remote host with the SYSTEM
privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-071");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT, XP and 2000.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/06");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/12/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/12/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS02-071';
kb = '328310';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"User32.dll", version:"5.1.2600.1134", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"User32.dll", version:"5.1.2600.104", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"User32.dll", version:"5.0.2195.6097", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"User32.dll", version:"4.0.1381.7202", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"User32.dll", version:"4.0.1381.33544", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2008-03-24T04:00:50.022-04:00
classvulnerability
contributors
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameJonathan Baker
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
definition_extensions
commentMicrosoft Windows NT is installed
ovaloval:org.mitre.oval:def:36
descriptionNetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."
familywindows
idoval:org.mitre.oval:def:681
statusaccepted
submitted2004-08-24T12:00:00.000-04:00
titleFlaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation
version75

References