Dear All,
Yet another "get yourself admin rights exploit":


This exploit requires nothing more than the default permissions.


By default, the group "Everyone" has special access to the following
registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug.

As part of the special access, "Everyone" is allowed to Set the values of
the entries.
The default for the debugger is : "drwtsn32 -p %ld -e %ld -g". Anyone can
change this to whatever they want but for this exploit to work it needs to
be changed to simply "usrmgr.exe" on an NT server or "musrmgr.exe" on an NT
Workstation.

You now need to get a service to crash. When I say service I mean any
process started by the system. It needs to be a system process because a
child process will inherit the permissions of the process that spawned it.
When and if you can get a service to crash User Manager will be started
with system privs.

Below is an account of the testing of this:

When I ran getadmin.exe on NT 4 Workstation (SP1) a memory error occured in
winlogon.exe. I then upgraded the PC to SP3. When I ran getadmin the same
access violation occured in winlogon.exe. I logged on as a plain old user,
changed the debugger to musrmgr.exe and then ran getadmin.exe... what was
strange was the fact that I had to run getadmin on a non-existent account
first then run it against the account I was logged on with before it would
load User Manager. If you didn't do this then the system would tell you of
a memory problem as opposed to the debugger being loaded. As to why
getadmin was failing after SP3 was installed I can't be quite sure.

Anyway, it seems this exploit will work on NT Server and workstation SP1
(and on 1 NT Wkst SP3 - the same getadmin program works fine on all other
SP3 machines.) No hotfixes have been applied.

This could obviously be refined....spoolss.exe and winlogon.exe being the
likely candidates to be targeted for causing memory problems...all that you
need is either a way to get a service to crash or to write a util that will
do it for you.

The simple solution to this would be the change the default permissions set
in the registry.

l8r
Mnemonix
http://www.users.globalnet.co.uk/~mnemonix/