|Microsoft Windows服务宽松DACL导致权限提升漏洞（MS06-011）

Microsoft Windows服务宽松DACL导致权限提升漏洞（MS06-011）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

Microsoft Windows是微软发布的非常流行的操作系统。 Windows XP Service Pack 1对一些Windows服务的访问权限设置存在漏洞，本地攻击者可能利用此漏洞在主机上提升自己的权限。默认下Windows XP Service Pack 1上的一些Windows服务（SSDPSRV、NetBT、UPnPHost、ScardSvr、DHCP和DnsCache）所设置的权限级别可能允许低特权用户更改与该服务关联的属性；Windows 2003上的一些服务（NetBT、DnsCache和DHCP）所设置的权限级别可能允许属于Network Configuration Operators组的用户更改与该服务关联的属性。仅目标计算机上网络操作员组的成员可以远程攻击Windows Server2003，此组默认下不包含任何用户。该漏洞可能允许具有有效的登录凭据的用户完全控制Microsoft Windows XP Service Pack 1上的系统。 Microsoft Windows XP SP1 Microsoft Windows Server 2003 临时解决方法： * 使用sc.exe命令修改识别出的有漏洞服务的访问控制: 对于Windows XP Service Pack 1，运行以下命令。每个命令都修改了与受影响服务相关的DACL。 sc sdset ssdpsrv D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;LS) sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO) sc sdset upnphost D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;LS) sc sdset scardsvr D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLOCRRC;;;S-1-2-0) sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) 对于Windows Server 2003，运行以下命令。每个命令都修改了与受影响服务相关的DACL。 sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 注意：对于Windows Server 2003，仅有NetBT、DnsCache和DHCP是受影响的服务。在Windows Server 2003的攻击情况下，攻击必须是由Network Configuration Operators组成员发起的。默认下这个组是空的。 * 使用组策略为识别出的服务部署修改的访问控制。域管理员可使用组策略和安全模板向Windows XP Service Pack 1系统部署修改过的访问控制。对于Windows XP Service Pack 1，使用以下安全模板修改Upnphost、SCardSvr、SSDPSRV、DnsCache和DHCP服务。 [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Service General Setting] SSDPSRV,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;S-1-5-19)" upnphost,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;S-1-5-19)" scardsvr,2,"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-19)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)" dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 对于Windows Server 2003，使用以下安全模板修改DnsCache和DHCP服务。 [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Service General Setting] dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 注意：对于Windows XP Service Pack 1和Windows Server 2003，不支持使用Microsoft组策略对象编辑器更改NetBT服务的服务DACL。因此，安全模板没有包含Windows Server 2003的NetBT服务DACL更改。注意：对于Windows Server 2003，仅有NetBT、DHCP和DnsCache是所识别出的受影响服务。在Windows Server 2003的攻击情况下，攻击必须是由Network Configuration Operators组成员发起的。默认下这个组是空的。 * 修改每个所识别出服务的Windows注册表以修改访问控制。服务修改的首选方法是使用sc.exe命令。但是，也可使用以下命令将受影响服务的安全DACL修改为Windows XP Service Pack 2相同的级别。建议用户在进行任何修改之前备份注册表。对于Windows XP Service Pack 1，修改以下注册表项更改默认的Windows XP Service Pack 1受影响服务. SSDPSRV服务： reg add HKLM\System\CurrentControlSet\Services\SSDPSRV\Security /v Security /t REG_BINARY /d _ 01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_ 00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_ 0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_ 52000000025020000000014009d00020001010000000000050b000000000014007000020001010000000000051300_ 0000010100000000000512000000010100000000000512000000 NetBT服务： reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _ 01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_ 0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_ 0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_ 5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_ 00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_ 10100000000000512000000010100000000000512000000 UPnPHost服务： reg add HKLM\System\CurrentControlSet\Services\upnphost\Security /v Security /t REG_BINARY /d _ 01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_ 00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_ 0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_ 52000000025020000000014009d00020001010000000000050b000000000014008f01020001010000000000051300_ 0000010100000000000512000000010100000000000512000000 ScardSvr服务： reg add HKLM\System\CurrentControlSet\Services\scardsvr\Security /v Security /t REG_BINARY /d _ 01001480a4000000b0000000140000003000000002001c000100000002801400ff010f00010100000000000100000_ 000020074000500000000001400fd01020001010000000000051200000000001400fd010200010100000000000513_ 00000000001800ff010f000102000000000005200000002002000000001800ff010f0001020000000000052000000_ 025020000000014009d01020001010000000000020000000001010000000000051200000001010000000000051200_ 0000 DHCP服务： reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dhcp\security /v Security /t REG_BINARY /d _ 01001480900000009C000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020060000_ 4000000000014008D01020001010000000000050B00000000001800FD010200012000000000005200000002C02000000001800FF_ 010F00010200000000005200000002002000000001400FD010200010100000000000512000000101000000000005120000000101_ 00000000000512000000 DnsCache服务： reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dnscache\security /v Security /t REG_BINARY /d_ 01001480A8000000B4000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020078000500_ 0000000014008D01020001010000000000050B000000000018009D010200012000000000005200000002302000000001800FD010200_ 010200000000005200000002C02000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000_ 00051200000001010000000000512000000010100000000000512000000 对于Windows Server 2003，修改以下注册表项以更改默认的Windows Server 2003受影响服务。 NetBT服务： reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _ 01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_ 0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_ 0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_ 5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_ 00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_ 10100000000000512000000010100000000000512000000 DHCP服务： reg add HKLM\System\CurrentControlSet\Services\dhcp\Security /v Security /t REG_BINARY /d _ 01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_ 000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_ 05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_ 000000051200000010100000000000512000000010100000000000512000000 DnsCache服务： reg add HKLM\System\CurrentControlSet\Services\dnscache\Security /v Security /t REG_BINARY /d _ 01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_ 000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_ 05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_ 000000051200000010100000000000512000000010100000000000512000000 注意：出于可读性考虑，这些注册表项值中插入了“_”符号和回车。请删除该字符和回车以正确的执行命令。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS06-011）以及相应补丁: MS06-011：Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798) 链接：http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™