Windows NT Screen Saver Vulnerability

[aleph1 () UNDERGROUND ORG (Aleph One)]

Cybermedia Software has found the following vulnerability:

< http://www.cybermedia.co.in/NT%20Security/SS%20vulnerability.htm >


   Screen Saver vulnerability

   Description:

   The Screen Saver is started by Winlogon.Exe whenever the machine is
          idle for the specified amount of time. Screen Saver setting is
          a per user property and every user has right to set his own
          screen saver.

   The screen saver is started by Winlogon.Exe, initially in a suspended
          mode using CreateProcess API call. Once Winlogon.Exe gets the
          process handle to screen saver, it changes the primary security
          token of the screen saver to that of the logged in user and
          then resumes the screen saver process. This is done for
          security reasons. If Winlogon were to NOT do this, then screen
          saver would run with the security context of Winlogon.Exe
          (which runs in system context).



   Problem:

   The Winlogon.Exe DOES NOT check whether the changing of Primary token
          is successful. Hence if setting of primary token fails due to
          some reason, the screen saver binary will run in system context
          and be able to do whatever it pleases (e.g adding the logged in
          user to admin group).



   Simulation:

   On Windows NT 3.51 and all its service packs, Windows NT 4.0 with
          Service Pack 1, and NT 5.0 beta1 and beta2, when an MS-DOS
          application is spawned, the returned process handle is junk
          (rather it is a special event handle).

   The simulation consists of one 32-bit application say BEADMIN.EXE and
   one MS-DOS based application, say SCRNSAVE.EXE. The BEADMIN.EXE when
   started does the following
     * Creates one event in `not-signal'ed state
     * Sets up the screen saver. The screen saver executable is specified
       as SCRNSAVE.EXE and the timeout is set to minimum. . BEADMIN.EXE
       now waits on the event.

   After some time, the screen saver is triggered. This results in
   Winlogon.Exe spawning SCRNSAVE.EXE. Since the CreateProcess call
   returns junk handle to Winlogon.Exe, the setting of primary token
   fails. Hence the SCRNSAVE.EXE application (NTVDM.EXE) runs in System
   Context. This SCRNSAVE.EXE again spawns BEADMIN.EXE application. Now
   this second copy of BEADMIN.EXE inherits the security context of NTVDM
   which is System Context. This application adds the logged in user to
   admin group and signals the event on which first instance of
   BEADMIN.EXE is waiting. In response to this the first copy of
   BEADMIN.EXE resets back the Screen Saver settings and quits.

   The logged in user name is passed between the first and second copy of
   BEADMIN.EXE using shared section.

   Comments:

   Although this program does not run on versions of Windows NT 4.0 after
          Service pack 1, the vulnerability exists in these versions as
          well. i.e in these versions also Winlogon.exe fails to perform
          the validation. but the condition required for simulation does
          not happen. i.e In these versions, winlogon.exe gets the proper
          handle to the process.

   Since the vulnerability is once again reproducible in the beta
   versions of NT 5.0, it is clear that it needs to be fixed.

   [1]Download Demo for Screen Saver vulnerability

   Blueline.jpg (398 bytes)

    Copyright© 1999, Cybermedia Software Private Limited. All trademarks
                 are property of their respective holders.

References

   1. http://www.cybermedia.co.in/Free%20Downloads/ScrnSave.zip