Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin (MS98-009)

From: aleph1 () DFW NET (Aleph One)
Date: Tue, 28 Jul 1998 09:51:58 -0500

---------- Forwarded message ----------
Date: Mon, 27 Jul 1998 20:28:44 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-009)

Microsoft Security Bulletin (MS98-009)
--------------------------------------

Update Available for Windows NT Privilege Elevation attack

Last Revision: July 27, 1998

Summary
=======
Recently Microsoft was notified by Mark Joseph Edwards
(http://www.ntshop.net) of a Privilege Elevation vulnerability on
Microsoft(r) Windows NT(r). A program called sechole.exe written by Prasad
Dabak, Sandeep Phadke and Milind Borate (psdabak () hotmail com,
sandeepsandeep () hotmail com and milind () cyberspace org) exploits this
vulnerability, and was published on the Internet. Sechole.exe performs a
sophisticated set of steps to allow a non-administrative user who is logged
on locally (at the console) of a system to gain debug level access on a
system process. Using this program, the non-administrative user is able to
run arbitrary code in the system security context and thereby grant
themselves local administrative privileges on the local system.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

Issue
=====
This exploit can potentially allow a non-administrative user to gain local
administrative access to the system and thereby elevate their privileges on
the system. In order to perform this attack the user has to have a valid
local account on the system and be able to run arbitrary code on the system.
Normally this means they must have physical access to the computer in order
to login in locally to the system.

Sensitive systems such as the Windows NT Domain Controllers where
non-administrative users do not have any local log on rights by default are
not susceptible to this threat. The attack cannot be used over the network
get domain administrative privileges remotely.

Specific Details
================
In this attack, a non-administrative user obtains administrative access to
the system by virtue of being able to gain debug level access on a system
process. Specifically, the exploit program does the following:

   * Locates the memory address of a particular API function
   used by the DebugActiveProcess function.

   * Modifies the instructions at that address to return success
   in a failure case.

   * Iterates through the processes running as local system,
   calling DebugActiveProcess on each until a successful attach
   is performed. The server side component of DebugActiveProcess
   does not correctly check for valid access to the target process.

   * Creates a thread in the victim process that runs code from an
   accompanying DLL This thread will add the user running the program
   to the local administrators group.

The hotfixes listed below ensure that the access check to grant any rights
is done correctly by the server.

Affected Software Versions
==========================
   * Windows NT Workstation versions 3.51 and 4.0
   * Windows NT Server versions 3.51 and 4.0
   * Windows NT Server 4.0 Terminal Server Edition

What Microsoft is Doing
=======================
Microsoft has posted hotfixes to address this problem.  NOTE: The URLs in
the following section have been wrapped for readability.

   * Fix for Microsoft Windows NT 4.0 x86 version -
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
   fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixi.exe

   * Fix for Microsoft Windows NT 4.0 Alpha version -
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
   fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixa.exe

   * Fix for Microsoft Windows NT 3.51 - This fix will be released
   shortly. When it is available, http://www.microsoft.com/security
   will carry an announcement that provides the location of the fix.

   * Fix for Microsoft Windows NT Server 4.0 Terminal Server Edition -
   This fix will be released shortly. When it is available,
   http://www.microsoft.com/security will carry an announcement that
   provides the location of the fix.

What customers should do
========================
Microsoft highly recommends that customers using Windows NT operating
systems immediately apply the appropriate hotfixes to their systems.

More Information
================
Please see the following references for more information related to this
issue.
   * Microsoft Security Bulletin 98-009, Update Available for
   Windows NT Privilege Elevation attack (the Web posted version of this
   bulletin), http://www.microsoft.com/security/bulletins/ms98-009.htm

   * Microsoft Knowledge Base article Q190288, SecHole lets
   Non-administrative Users Gain Debug Level Access
   http://support.microsoft.com/support/kb/articles/q190/2/88.asp.
   This article will be posted on 30 July; in the meantime,
   it can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/
   winnt-public/fixes/usa/NT40/hotfixes-postSP3/priv-fix/Q190288.txt
   NOTE: The above URL has been wrapped for readability.

Revisions
=========
   * July 27, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: