今天释出的KB958644号紧急更新,引起了我不小的兴趣,很希望知道到底是什么东西导致微软捅了这么大的篓子呢?无奈,因为出品公司(微软)承认这是一个严重的安全漏洞,提出问题的网站(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250)已经去除了关于此漏洞的详细说明。这条路不通了。
MS08-067(http://support.microsoft.com/?kbid=958644)描述了什么样的系统里具体什么样的文件会出问题。从中可以看到,主要问题出在Netapi32.dll这个DLL。可以看出,自Microsoft Windows 2000 Service Pack 4(不是说之前的就没有,而是只从SP4开始技术支持)开始的5.0.2195.7203版本的Netapi32.dll,直到Windows Vista、Windows Server 2008甚至Windows 7 Pre-Beta的6.1.6801.4106版本Netapi32.dll都逃脱不了噩运。
重要的提示来自Microsoft Security Bulletin MS08-067 – Critical(Vulnerability in Server Service Could Allow Remote Code Execution (958644))一文。文中特别指出,这个漏洞如此广泛,甚至Windows Server 2008的Server Core installation也会受到同样安全威胁等级的威胁。这说明,这个漏洞存在很基础的地方。
Server Core installation是Server功能的极小集,根据Compare Server Core Installation Options一文,Server Core installation可以安装以下功能:
- Active Directory Domain Services
- Active Directory Lightweight Directory Services
- DHCP Server
- DNS Server
- File Services
- Hyper-V
- Print Services
- Web Services (IIS) without ASP.NET
鉴于Windows 2000也是受害者,因此不可能是Active Directory Lightweight Directory Services和Hyper-V的问题。
Server Core Functions by DLL一文给出了netapi32.dll的详细功能说明。
我不辞辛苦地把提到的API函数进行Google,存在漏洞的API肯定是存在在Windows 2000以来所有版本Windows中的,例如DsGetDcCloseW这样的API,微软文档声称“Client:Requires Windows Vista or Windows XP,Server:Requires Windows Server 2008 or Windows Server 2003.”,因此不可能是与漏洞有关。
剩下的可疑的Windows API有这些:
- netapi32.dll DsAddressToSiteNamesA
- netapi32.dll DsAddressToSiteNamesExA
- netapi32.dll DsAddressToSiteNamesExW
- netapi32.dll DsAddressToSiteNamesW
- netapi32.dll DsDeregisterDnsHostRecordsA
- netapi32.dll DsDeregisterDnsHostRecordsW
- netapi32.dll DsEnumerateDomainTrustsA
- netapi32.dll DsEnumerateDomainTrustsW
- netapi32.dll DsGetDcNameA
- netapi32.dll DsGetDcNameW
- netapi32.dll DsGetDcOpenA
- netapi32.dll DsGetDcOpenW
- netapi32.dll DsGetDcSiteCoverageA
- netapi32.dll DsGetDcSiteCoverageW
- netapi32.dll DsGetSiteNameA
- netapi32.dll DsGetSiteNameW
- netapi32.dll DsMergeForestTrustInformationW
- netapi32.dll DsRoleFreeMemory
- netapi32.dll DsRoleGetPrimaryDomainInformation
- netapi32.dll NetApiBufferAllocate
- netapi32.dll NetApiBufferFree
- netapi32.dll NetApiBufferReallocate
- netapi32.dll NetApiBufferSize
- netapi32.dll NetConnectionEnum
- netapi32.dll NetDfsAdd
- netapi32.dll NetDfsAddFtRoot
- netapi32.dll NetDfsAddStdRoot
- netapi32.dll NetDfsAddStdRootForced
- netapi32.dll NetDfsEnum
- netapi32.dll NetDfsGetClientInfo
- netapi32.dll NetDfsGetInfo
- netapi32.dll NetDfsRemove
- netapi32.dll NetDfsRemoveFtRoot
- netapi32.dll NetDfsRemoveStdRoot
- netapi32.dll NetDfsSetClientInfo
- netapi32.dll NetDfsSetInfo
- netapi32.dll NetFileClose
- netapi32.dll NetFileEnum
- netapi32.dll NetFileGetInfo
- netapi32.dll NetGetAnyDCName
- netapi32.dll NetGetDCName
- netapi32.dll NetGetDisplayInformationIndex
- netapi32.dll NetGetJoinableOUs
- netapi32.dll NetGetJoinInformation
- netapi32.dll NetGroupAdd
- netapi32.dll NetGroupAddUser
- netapi32.dll NetGroupDel
- netapi32.dll NetGroupDelUser
- netapi32.dll NetGroupEnum
- netapi32.dll NetGroupGetInfo
- netapi32.dll NetGroupGetUsers
- netapi32.dll NetGroupSetInfo
- netapi32.dll NetGroupSetUsers
- netapi32.dll NetLocalGroupAdd
- netapi32.dll NetLocalGroupAddMembers
- netapi32.dll NetLocalGroupDel
- netapi32.dll NetLocalGroupDelMembers
- netapi32.dll NetLocalGroupEnum
- netapi32.dll NetLocalGroupGetInfo
- netapi32.dll NetLocalGroupGetMembers
- netapi32.dll NetLocalGroupSetInfo
- netapi32.dll NetLocalGroupSetMembers
- netapi32.dll NetQueryDisplayInformation
- netapi32.dll NetRemoteComputerSupports
- netapi32.dll NetRemoteTOD
- netapi32.dll NetRenameMachineInDomain
- netapi32.dll NetScheduleJobAdd
- netapi32.dll NetScheduleJobDel
- netapi32.dll NetScheduleJobEnum
- netapi32.dll NetScheduleJobGetInfo
- netapi32.dll NetServerComputerNameAdd
- netapi32.dll NetServerComputerNameDel
- netapi32.dll NetServerDiskEnum
- netapi32.dll NetServerEnum
- netapi32.dll NetServerGetInfo
- netapi32.dll NetServerSetInfo
- netapi32.dll NetServerTransportAdd
- netapi32.dll NetServerTransportAddEx
- netapi32.dll NetServerTransportDel
- netapi32.dll NetServerTransportEnum
- netapi32.dll NetSessionDel
- netapi32.dll NetSessionEnum
- netapi32.dll NetSessionGetInfo
- netapi32.dll NetShareAdd
- netapi32.dll NetShareCheck
- netapi32.dll NetShareDel
- netapi32.dll NetShareEnum
- netapi32.dll NetShareGetInfo
- netapi32.dll NetShareSetInfo
- netapi32.dll NetStatisticsGet
- netapi32.dll NetUnjoinDomain
- netapi32.dll NetUseAdd
- netapi32.dll NetUseDel
- netapi32.dll NetUseEnum
- netapi32.dll NetUseGetInfo
- netapi32.dll NetUserAdd
- netapi32.dll NetUserChangePassword
- netapi32.dll NetUserDel
- netapi32.dll NetUserEnum
- netapi32.dll NetUserGetGroups
- netapi32.dll NetUserGetInfo
- netapi32.dll NetUserGetLocalGroups
- netapi32.dll NetUserModalsGet
- netapi32.dll NetUserModalsSet
- netapi32.dll NetUserSetGroups
- netapi32.dll NetUserSetInfo
- netapi32.dll NetValidatePasswordPolicy
- netapi32.dll NetWkstaGetInfo
- netapi32.dll NetWkstaSetInfo
- netapi32.dll NetWkstaTransportAdd
- netapi32.dll NetWkstaTransportDel
- netapi32.dll NetWkstaTransportEnum
- netapi32.dll NetWkstaUserEnum
- netapi32.dll NetWkstaUserGetInfo
- netapi32.dll NetWkstaUserSetInfo
接下来只能猜了…
基于以上各点线索,猜测KB958644特大漏洞的原理可能是以下:
- 文件共享及发现(共享打印机等)
- Active Directory目录服务