Update to Microsoft Security Bulletin (MS99-006)

[aleph1 () UNDERGROUND ORG (aleph1 () UNDERGROUND ORG)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Update to Microsoft Security Bulletin (MS99-006)
------------------------------------------------

Fix Available for Windows NT "KnownDLLs List" Vulnerability

Originally Posted: February 19, 1999
Updated: March 5, 1999

Summary
=======
This is an update to Microsoft Security MS99-006, which was originally
issued on February 19,  1999. Microsoft is issuing this updated bulletin to
inform customers of the availability of a  patch, and to update the list of
affected products.

Microsoft has learned of a vulnerability affecting all versions of
Microsoft(r) Windows NT(r)  operating system, which could allow a user to
gain administrative privileges on a computer. In  most common usage
scenarios, this vulnerability presents itself on workstations, terminal
servers, and other systems that allow non-administrative users to
interactively log on.  Less-common configurations could also be affected,
and are discussed below.

The privilege elevation can be prevented by applying a hot fix that changes
the default access  control settings on the relevant operating system
object. The hot fix is available for  downloading from the Microsoft FTP
site. Microsoft recommends that customers who previously made  a registry
change as a temporary workaround revert to the original registry setting and
use the  hot fix instead.

Issue
=====
In Windows NT, core operating system DLLs are kept in virtual memory and
shared between the  programs running on the system. This is done to avoid
having redundant copies of the DLLs in  memory, and improves memory usage
and system performance. When a program calls a function  provided by one of
these DLLs, the operating system references a data structure called the
KnownDLLs list to determine the location of the DLL in virtual memory. The
Windows NT security  architecture protects in-memory DLLs against
modification, but by default it allows all users to  read from and write to
the KnownDLLs list. This is the root problem underlying the vulnerability.

A user can programmatically load into memory a malicious DLL that has the
same name as a system  DLL, then change the entry in the KnownDLLs list to
point to the malicious copy. From that point  forward, programs that request
the system DLL will instead be directed to the malicious copy.  When called
by a program with sufficiently high privileges, it could take any desired
action,  such as adding the malicious user to the Administrators group.

It is important to understand that the user must able to run exploitation
code on a machine in  order to elevate their privileges. There are two types
of machines at risk:
 - Machines that allow non-administrative users to interactively
   log on. Workstation and terminal servers typically do allow this,
   but, per standard security practices, most other servers only allow
   administrators to interactively log on. (Even on workstations, it's
   worth noting that most workstation users already are administrators
   on the local machine).
 - Machines that allow remote users to submit arbitrary programs for
   execution. Servers such as domain controllers, line of business
   servers, application servers, print and file servers and the like
   typically do not accept arbitrary programs for execution.

It also is important to note that the scope of the privilege elevation is
highly dependent on the  specific machine on which the exploitation code is
run. For example, a user who exploited this  vulnerability on a workstation
could join the local Administrators group, but could not directly  exploit
this vulnerability to become a domain administrator. However, a user who
exploited this  vulnerability on a domain controller would be able to become
a domain Administrator, because the  domain SAM is shared among all domain
controllers.

While there are no reports of customers being adversely affected by this
privilege elevation  vulnerability, Microsoft is proactively providing
information to allow customers to prevent it.  The hot fix changes the
default permissions on the KnownDLLs list to read-only, and is the
recommended corrective action for this vulnerability. The initial version of
this bulletin  provided a workaround in the form of a registry change that
restricts users' ability to change  system base objects, including the
KnownDLLs list. Although the registry change corrects the  problem, it
encompasses a broader range of system behavior than the hot fix, and may not
be  appropriate for all systems.

Affected Software Versions
==========================
 - Microsoft Windows NT Workstation 4.0
 - Microsoft Windows NT Server 4.0
 - Microsoft Windows NT Server 4.0, Enterprise Edition
 - Microsoft Windows NT Server 4.0, Terminal Server Edition

What Microsoft is Doing
=======================
Microsoft has provided a patch that changes the default permissions on the
KnownDLLs list.  Information on the patch is provided below in What
Customers Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
 - Microsoft Knowledge Base (KB) article Q218473,
   Restricting Changes to Base System Objects,
   http://support.microsoft.com/support/kb/articles/q218/4/73.asp.
   (Note: It might take 24 hours from the original posting
   of this bulletin for the KB article to be visible in the
   Web-based Knowledge Base.)

What customers should do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability  poses to their systems and determine whether to download
and install the hot fix. The hot fix  changes the default permissions on the
KnownDLLs list, and is the recommended means of  eliminating the
vulnerability.

The hot fix can be found at:
 - X86-based Windows NT Workstation and Server 4.0
   (including Enterprise Edition):
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40/hotfixes-postSP4/Smss-fix/Smssfixi.exe
 - X86-based Windows NT Server 4.0, Terminal Server Edition:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40TSE/hotfixes-postSP3/Smss-fix/Smssfixi.exe
 - Alpha-based Windows NT Workstation and Server 4.0
   (including Enterprise Edition and Terminal Server Edition):
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40/hotfixes-postSP4/Smss-fix/Smssfixa.exe
 - Alpha-based Windows NT Server 4.0, Terminal Server Edition:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40TSE/hotfixes-postSP3/Smss-fix/Smssfixa.exe

(Note: the above URLs have been word-wrapped for readability)

Registry Change
===============
It is also possible to eliminate this vulnerability via a registry change
that enables stronger  protection on system base objects such as the
KnownDLLs list. However, because this registry  change affects all system
base objects, rather than just the KnownDLLs list, it may not be
appropriate for all systems. The recommended fix for this vulnerability is
via the hot fix  detailed above in What Customers Should Do. Customers who
previously used this registry change as  a temporary workaround may wish to
revert to their original setting and install the hot fix as a  permanent
solution.

Registry Change:
 - Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\
   Control\Session Manager
   (note: the key name has been word-wrapped for readability)
 - Name: ProtectionMode
 - Type:  REG_DWORD
 - Value: 1

NOTE: Incorrectly changing the system registry can damage your system or
render it inoperable,  and users undertake these changes at their own risk.
If you require assistance in making this  change, see Obtaining Support on
this Issue below.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-006,
   Fix Available for Windows NT "KnownDLLs List" Vulnerability
   (the Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms99-006.asp.
 - Microsoft Knowledge Base (KB) article Q218473,
   Restricting Changes to Base System Objects,
   http://support.microsoft.com/support/kb/articles/q218/4/73.asp.
 - Microsoft White Paper, Securing Windows NT Installation, available
   at http://www.microsoft.com/security/resources/whitepapers.asp and
   http://www.microsoft.com/ntserver/security/exec/
   overview/Secure_NTInstall.asp

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support.  For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges L0pht Heavy Industries (http://www.l0pht.com)
for discovering this vulnerability.

Revisions
=========
 - February 19, 1999: Bulletin Created
 - March 5, 1999: Bulletin Updated


For additional security-related information about Microsoft products,
please visit http://www.microsoft.com/security


------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING  LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.