微软最新安全漏洞(KB958644)原理猜测分析

今天释出的KB958644号紧急更新,引起了我不小的兴趣,很希望知道到底是什么东西导致微软捅了这么大的篓子呢?无奈,因为出品公司(微软)承认这是一个严重的安全漏洞,提出问题的网站(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250)已经去除了关于此漏洞的详细说明。这条路不通了。
MS08-067(http://support.microsoft.com/?kbid=958644)描述了什么样的系统里具体什么样的文件会出问题。从中可以看到,主要问题出在Netapi32.dll这个DLL。可以看出,自Microsoft Windows 2000 Service Pack 4(不是说之前的就没有,而是只从SP4开始技术支持)开始的5.0.2195.7203版本的Netapi32.dll,直到Windows Vista、Windows Server 2008甚至Windows 7 Pre-Beta的6.1.6801.4106版本Netapi32.dll都逃脱不了噩运。
重要的提示来自Microsoft Security Bulletin MS08-067 – Critical(Vulnerability in Server Service Could Allow Remote Code Execution (958644))一文。文中特别指出,这个漏洞如此广泛,甚至Windows Server 2008的Server Core installation也会受到同样安全威胁等级的威胁。这说明,这个漏洞存在很基础的地方。
Server Core installation是Server功能的极小集,根据Compare Server Core Installation Options一文,Server Core installation可以安装以下功能:

  • Active Directory Domain Services
  • Active Directory Lightweight Directory Services
  • DHCP Server
  • DNS Server
  • File Services
  • Hyper-V
  • Print Services
  • Web Services (IIS) without ASP.NET

鉴于Windows 2000也是受害者,因此不可能是Active Directory Lightweight Directory Services和Hyper-V的问题。
Server Core Functions by DLL一文给出了netapi32.dll的详细功能说明。
我不辞辛苦地把提到的API函数进行Google,存在漏洞的API肯定是存在在Windows 2000以来所有版本Windows中的,例如DsGetDcCloseW这样的API,微软文档声称“Client:Requires Windows Vista or Windows XP,Server:Requires Windows Server 2008 or Windows Server 2003.”,因此不可能是与漏洞有关。
剩下的可疑的Windows API有这些:

  • netapi32.dll DsAddressToSiteNamesA
  • netapi32.dll DsAddressToSiteNamesExA
  • netapi32.dll DsAddressToSiteNamesExW
  • netapi32.dll DsAddressToSiteNamesW
  • netapi32.dll DsDeregisterDnsHostRecordsA
  • netapi32.dll DsDeregisterDnsHostRecordsW
  • netapi32.dll DsEnumerateDomainTrustsA
  • netapi32.dll DsEnumerateDomainTrustsW
  • netapi32.dll DsGetDcNameA
  • netapi32.dll DsGetDcNameW
  • netapi32.dll DsGetDcOpenA
  • netapi32.dll DsGetDcOpenW
  • netapi32.dll DsGetDcSiteCoverageA
  • netapi32.dll DsGetDcSiteCoverageW
  • netapi32.dll DsGetSiteNameA
  • netapi32.dll DsGetSiteNameW
  • netapi32.dll DsMergeForestTrustInformationW
  • netapi32.dll DsRoleFreeMemory
  • netapi32.dll DsRoleGetPrimaryDomainInformation
  • netapi32.dll NetApiBufferAllocate
  • netapi32.dll NetApiBufferFree
  • netapi32.dll NetApiBufferReallocate
  • netapi32.dll NetApiBufferSize
  • netapi32.dll NetConnectionEnum
  • netapi32.dll NetDfsAdd
  • netapi32.dll NetDfsAddFtRoot
  • netapi32.dll NetDfsAddStdRoot
  • netapi32.dll NetDfsAddStdRootForced
  • netapi32.dll NetDfsEnum
  • netapi32.dll NetDfsGetClientInfo
  • netapi32.dll NetDfsGetInfo
  • netapi32.dll NetDfsRemove
  • netapi32.dll NetDfsRemoveFtRoot
  • netapi32.dll NetDfsRemoveStdRoot
  • netapi32.dll NetDfsSetClientInfo
  • netapi32.dll NetDfsSetInfo
  • netapi32.dll NetFileClose
  • netapi32.dll NetFileEnum
  • netapi32.dll NetFileGetInfo
  • netapi32.dll NetGetAnyDCName
  • netapi32.dll NetGetDCName
  • netapi32.dll NetGetDisplayInformationIndex
  • netapi32.dll NetGetJoinableOUs
  • netapi32.dll NetGetJoinInformation
  • netapi32.dll NetGroupAdd
  • netapi32.dll NetGroupAddUser
  • netapi32.dll NetGroupDel
  • netapi32.dll NetGroupDelUser
  • netapi32.dll NetGroupEnum
  • netapi32.dll NetGroupGetInfo
  • netapi32.dll NetGroupGetUsers
  • netapi32.dll NetGroupSetInfo
  • netapi32.dll NetGroupSetUsers
  • netapi32.dll NetLocalGroupAdd
  • netapi32.dll NetLocalGroupAddMembers
  • netapi32.dll NetLocalGroupDel
  • netapi32.dll NetLocalGroupDelMembers
  • netapi32.dll NetLocalGroupEnum
  • netapi32.dll NetLocalGroupGetInfo
  • netapi32.dll NetLocalGroupGetMembers
  • netapi32.dll NetLocalGroupSetInfo
  • netapi32.dll NetLocalGroupSetMembers
  • netapi32.dll NetQueryDisplayInformation
  • netapi32.dll NetRemoteComputerSupports
  • netapi32.dll NetRemoteTOD
  • netapi32.dll NetRenameMachineInDomain
  • netapi32.dll NetScheduleJobAdd
  • netapi32.dll NetScheduleJobDel
  • netapi32.dll NetScheduleJobEnum
  • netapi32.dll NetScheduleJobGetInfo
  • netapi32.dll NetServerComputerNameAdd
  • netapi32.dll NetServerComputerNameDel
  • netapi32.dll NetServerDiskEnum
  • netapi32.dll NetServerEnum
  • netapi32.dll NetServerGetInfo
  • netapi32.dll NetServerSetInfo
  • netapi32.dll NetServerTransportAdd
  • netapi32.dll NetServerTransportAddEx
  • netapi32.dll NetServerTransportDel
  • netapi32.dll NetServerTransportEnum
  • netapi32.dll NetSessionDel
  • netapi32.dll NetSessionEnum
  • netapi32.dll NetSessionGetInfo
  • netapi32.dll NetShareAdd
  • netapi32.dll NetShareCheck
  • netapi32.dll NetShareDel
  • netapi32.dll NetShareEnum
  • netapi32.dll NetShareGetInfo
  • netapi32.dll NetShareSetInfo
  • netapi32.dll NetStatisticsGet
  • netapi32.dll NetUnjoinDomain
  • netapi32.dll NetUseAdd
  • netapi32.dll NetUseDel
  • netapi32.dll NetUseEnum
  • netapi32.dll NetUseGetInfo
  • netapi32.dll NetUserAdd
  • netapi32.dll NetUserChangePassword
  • netapi32.dll NetUserDel
  • netapi32.dll NetUserEnum
  • netapi32.dll NetUserGetGroups
  • netapi32.dll NetUserGetInfo
  • netapi32.dll NetUserGetLocalGroups
  • netapi32.dll NetUserModalsGet
  • netapi32.dll NetUserModalsSet
  • netapi32.dll NetUserSetGroups
  • netapi32.dll NetUserSetInfo
  • netapi32.dll NetValidatePasswordPolicy
  • netapi32.dll NetWkstaGetInfo
  • netapi32.dll NetWkstaSetInfo
  • netapi32.dll NetWkstaTransportAdd
  • netapi32.dll NetWkstaTransportDel
  • netapi32.dll NetWkstaTransportEnum
  • netapi32.dll NetWkstaUserEnum
  • netapi32.dll NetWkstaUserGetInfo
  • netapi32.dll NetWkstaUserSetInfo

接下来只能猜了…
基于以上各点线索,猜测KB958644特大漏洞的原理可能是以下:

  • 文件共享及发现(共享打印机等)
  • Active Directory目录服务

推荐文章

发表评论