|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: ByteRage (byterage_at_yahoo.com)
Date: Thu Sep 12 2002 - 08:47:29 CDT
Hi all,
A few days ago, I found the following code fragment in
NETAPI32.DLL of my windows 2000sp2 system (and
NT4sp6):
--- 778386B4 public NetpDbgPrint 778386B4 NetpDbgPrint proc near 778386B4 778386B4 var_400 = byte ptr -400h 778386B4 arg_0 = dword ptr 8 778386B4 arg_4 = byte ptr 0Ch 778386B4 778386B4 push ebp 778386B5 lea eax, [esp+arg_4] 778386B9 mov ebp, esp 778386BB sub esp, 400h 778386C1 push eax 778386C2 lea edx, [ebp+var_400] 778386C8 push [ebp+arg_0] 778386CB push edx 778386CC call ds:vsprintf 778386D2 add esp, 0Ch 778386D5 lea ecx, [ebp+var_400] 778386DB push ecx 778386DC push offset aS_18 ; "%s" 778386E1 call j_DbgPrint 778386E6 mov esp, ebp 778386E8 pop ebp 778386E9 retn 778386E9 NetpDbgPrint endp ---This code makes it possible for any user to execute a program that will call NetpDbgPrint to inject code into the loaded NETAPI32.DLL dll by triggering a buffer overflow... However, if one tries to inject for example shellcode that would spawn a shell, then this shell wouldn't have administor privileges... (I learned this the hard way :) Now my question to this list is, what can be done with this bug ? Is there a way of injecting code into NETAPI32.DLL to escalate privileges ? Can this bug be considered a security vulnerability ?
greetz, [ByteRage]
===== [ByteRage] http://www.byterage.cjb.net Key Server ID:0x4F9DBAC2
__________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]