[7411] in bugtraq
Microsoft Security Bulletin (MS98-009)
daemon@ATHENA.MIT.EDU (Aleph One)
Tue Jul 28 11:48:47 1998
Date: Tue, 28 Jul 1998 09:51:58 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Mon, 27 Jul 1998 20:28:44 -0700
From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
Subject: Microsoft Security Bulletin (MS98-009)
Microsoft Security Bulletin (MS98-009)
--------------------------------------
Update Available for Windows NT Privilege Elevation attack
Last Revision: July 27, 1998
Summary
=======
Recently Microsoft was notified by Mark Joseph Edwards
(http://www.ntshop.net) of a Privilege Elevation vulnerability on
Microsoft(r) Windows NT(r). A program called sechole.exe written by Prasad
Dabak, Sandeep Phadke and Milind Borate (psdabak@hotmail.com,
sandeepsandeep@hotmail.com and milind@cyberspace.org) exploits this
vulnerability, and was published on the Internet. Sechole.exe performs a
sophisticated set of steps to allow a non-administrative user who is logged
on locally (at the console) of a system to gain debug level access on a
system process. Using this program, the non-administrative user is able to
run arbitrary code in the system security context and thereby grant
themselves local administrative privileges on the local system.
The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.
Issue
=====
This exploit can potentially allow a non-administrative user to gain local
administrative access to the system and thereby elevate their privileges on
the system. In order to perform this attack the user has to have a valid
local account on the system and be able to run arbitrary code on the system.
Normally this means they must have physical access to the computer in order
to login in locally to the system.
Sensitive systems such as the Windows NT Domain Controllers where
non-administrative users do not have any local log on rights by default are
not susceptible to this threat. The attack cannot be used over the network
get domain administrative privileges remotely.
Specific Details
================
In this attack, a non-administrative user obtains administrative access to
the system by virtue of being able to gain debug level access on a system
process. Specifically, the exploit program does the following:
* Locates the memory address of a particular API function
used by the DebugActiveProcess function.
* Modifies the instructions at that address to return success
in a failure case.
* Iterates through the processes running as local system,
calling DebugActiveProcess on each until a successful attach
is performed. The server side component of DebugActiveProcess
does not correctly check for valid access to the target process.
* Creates a thread in the victim process that runs code from an
accompanying DLL This thread will add the user running the program
to the local administrators group.
The hotfixes listed below ensure that the access check to grant any rights
is done correctly by the server.
Affected Software Versions
==========================
* Windows NT Workstation versions 3.51 and 4.0
* Windows NT Server versions 3.51 and 4.0
* Windows NT Server 4.0 Terminal Server Edition
What Microsoft is Doing
=======================
Microsoft has posted hotfixes to address this problem. NOTE: The URLs in
the following section have been wrapped for readability.
* Fix for Microsoft Windows NT 4.0 x86 version -
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixi.exe
* Fix for Microsoft Windows NT 4.0 Alpha version -
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
fixes/usa/nt40/hotfixes-postSP3/priv-fix/privfixa.exe
* Fix for Microsoft Windows NT 3.51 - This fix will be released
shortly. When it is available, http://www.microsoft.com/security
will carry an announcement that provides the location of the fix.
* Fix for Microsoft Windows NT Server 4.0 Terminal Server Edition -
This fix will be released shortly. When it is available,
http://www.microsoft.com/security will carry an announcement that
provides the location of the fix.
What customers should do
========================
Microsoft highly recommends that customers using Windows NT operating
systems immediately apply the appropriate hotfixes to their systems.
More Information
================
Please see the following references for more information related to this
issue.
* Microsoft Security Bulletin 98-009, Update Available for
Windows NT Privilege Elevation attack (the Web posted version of this
bulletin), http://www.microsoft.com/security/bulletins/ms98-009.htm
* Microsoft Knowledge Base article Q190288, SecHole lets
Non-administrative Users Gain Debug Level Access
http://support.microsoft.com/support/kb/articles/q190/2/88.asp.
This article will be posted on 30 July; in the meantime,
it can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/
winnt-public/fixes/usa/NT40/hotfixes-postSP3/priv-fix/Q190288.txt
NOTE: The above URL has been wrapped for readability.
Revisions
=========
* July 27, 1998: Bulletin Created
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.
=====================================================
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
