[9856] in bugtraq
Windows NT Screen Saver Vulnerability
daemon@ATHENA.MIT.EDU (Aleph One)
Tue Mar 9 15:47:59 1999
Date: Tue, 9 Mar 1999 12:57:42 -0800
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Cybermedia Software has found the following vulnerability:
< http://www.cybermedia.co.in/NT%20Security/SS%20vulnerability.htm >
Screen Saver vulnerability
Description:
The Screen Saver is started by Winlogon.Exe whenever the machine is
idle for the specified amount of time. Screen Saver setting i=
s
a per user property and every user has right to set his own
screen saver.
The screen saver is started by Winlogon.Exe, initially in a suspende=
d
mode using CreateProcess API call. Once Winlogon.Exe gets the
process handle to screen saver, it changes the primary securi=
ty
token of the screen saver to that of the logged in user and
then resumes the screen saver process. This is done for
security reasons. If Winlogon were to NOT do this, then scree=
n
saver would run with the security context of Winlogon.Exe
(which runs in system context).
Problem:
The Winlogon.Exe DOES NOT check whether the changing of Primary toke=
n
is successful. Hence if setting of primary token fails due to
some reason, the screen saver binary will run in system conte=
xt
and be able to do whatever it pleases (e.g adding the logged =
in
user to admin group).
Simulation:
On Windows NT 3.51 and all its service packs, Windows NT 4.0 with
Service Pack 1, and NT 5.0 beta1 and beta2, when an MS-DOS
application is spawned, the returned process handle is junk
(rather it is a special event handle).
The simulation consists of one 32-bit application say BEADMIN.EXE an=
d
one MS-DOS based application, say SCRNSAVE.EXE. The BEADMIN.EXE when
started does the following
* Creates one event in `not-signal'ed state
* Sets up the screen saver. The screen saver executable is specifi=
ed
as SCRNSAVE.EXE and the timeout is set to minimum. . BEADMIN.EXE
now waits on the event.
After some time, the screen saver is triggered. This results in
Winlogon.Exe spawning SCRNSAVE.EXE. Since the CreateProcess call
returns junk handle to Winlogon.Exe, the setting of primary token
fails. Hence the SCRNSAVE.EXE application (NTVDM.EXE) runs in System
Context. This SCRNSAVE.EXE again spawns BEADMIN.EXE application. Now
this second copy of BEADMIN.EXE inherits the security context of NTV=
DM
which is System Context. This application adds the logged in user to
admin group and signals the event on which first instance of
BEADMIN.EXE is waiting. In response to this the first copy of
BEADMIN.EXE resets back the Screen Saver settings and quits.
The logged in user name is passed between the first and second copy =
of
BEADMIN.EXE using shared section.
Comments:
Although this program does not run on versions of Windows NT 4.0 aft=
er
Service pack 1, the vulnerability exists in these versions as
well. i.e in these versions also Winlogon.exe fails to perfor=
m
the validation. but the condition required for simulation doe=
s
not happen. i.e In these versions, winlogon.exe gets the prop=
er
handle to the process.
Since the vulnerability is once again reproducible in the beta
versions of NT 5.0, it is clear that it needs to be fixed.
[1]Download Demo for Screen Saver vulnerability
Blueline.jpg (398 bytes)
Copyright=A9 1999, Cybermedia Software Private Limited. All tradema=
rks
are property of their respective holders.
References
1. http://www.cybermedia.co.in/Free%20Downloads/ScrnSave.zip
