Bugtraq mailing list archives
Microsoft Security Bulletin (MS98-009)
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 28 Jul 1998 09:51:58 -0500
---------- Forwarded message ---------- Date: Mon, 27 Jul 1998 20:28:44 -0700 From: Microsoft Product Security Response Team <secure () MICROSOFT COM> To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM Subject: Microsoft Security Bulletin (MS98-009) Microsoft Security Bulletin (MS98-009) -------------------------------------- Update Available for Windows NT Privilege Elevation attack Last Revision: July 27, 1998 Summary ======= Recently Microsoft was notified by Mark Joseph Edwards (http://www.ntshop.net) of a Privilege Elevation vulnerability on Microsoft(r) Windows NT(r). A program called sechole.exe written by Prasad Dabak, Sandeep Phadke and Milind Borate (psdabak () hotmail com, sandeepsandeep () hotmail com and milind () cyberspace org) exploits this vulnerability, and was published on the Internet. Sechole.exe performs a sophisticated set of steps to allow a non-administrative user who is logged on locally (at the console) of a system to gain debug level access on a system process. Using this program, the non-administrative user is able to run arbitrary code in the system security context and thereby grant themselves local administrative privileges on the local system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== This exploit can potentially allow a non-administrative user to gain local administrative access to the system and thereby elevate their privileges on the system. In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to login in locally to the system. Sensitive systems such as the Windows NT Domain Controllers where non-administrative users do not have any local log on rights by default are not susceptible to this threat. The attack cannot be used over the network get domain administrative privileges remotely. Specific Details ================ In this attack, a non-administrative user obtains administrative access to the system by virtue of being able to gain debug level access on a system process. Specifically, the exploit program does the following: * Locates the memory address of a particular API function used by the DebugActiveProcess function. * Modifies the instructions at that address to return success in a failure case. * Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is performed. The server side component of DebugActiveProcess does not correctly check for valid access to the target process. * Creates a thread in the victim process that runs code from an accompanying DLL This thread will add the user running the program to the local administrators group. The hotfixes listed below ensure that the access check to grant any rights is done correctly by the server. Affected Software Versions ========================== * Windows NT Workstation versions 3.51 and 4.0 * Windows NT Server versions 3.51 and 4.0 * Windows NT Server 4.0 Terminal Server Edition What Microsoft is Doing ======================= Microsoft has posted hotfixes to address this problem. NOTE: The URLs in the following section have been wrapped for readability. * Fix for Microsoft Windows NT 4.0 x86 version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixi.exe * Fix for Microsoft Windows NT 4.0 Alpha version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixa.exe * Fix for Microsoft Windows NT 3.51 - This fix will be released shortly. When it is available, http://www.microsoft.com/security will carry an announcement that provides the location of the fix. * Fix for Microsoft Windows NT Server 4.0 Terminal Server Edition - This fix will be released shortly. When it is available, http://www.microsoft.com/security will carry an announcement that provides the location of the fix. What customers should do ======================== Microsoft highly recommends that customers using Windows NT operating systems immediately apply the appropriate hotfixes to their systems. More Information ================ Please see the following references for more information related to this issue. * Microsoft Security Bulletin 98-009, Update Available for Windows NT Privilege Elevation attack (the Web posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-009.htm * Microsoft Knowledge Base article Q190288, SecHole lets Non-administrative Users Gain Debug Level Access http://support.microsoft.com/support/kb/articles/q190/2/88.asp. This article will be posted on 30 July; in the meantime, it can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/ winnt-public/fixes/usa/NT40/hotfixes-postSP3/priv-fix/Q190288.txt NOTE: The above URL has been wrapped for readability. Revisions ========= * July 27, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- Security warning: Netscape https & proxies, (continued)
- Security warning: Netscape https & proxies Henrik Nordstrom (Jul 26)
- Another NEW mIRC bug and ALL mIRC Exploit patches Derek Reynolds (Jul 24)
- Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
- Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
- FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
- ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
- [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
- Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
- Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
- Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)