Gain Local Administrator Access on NT
Reported July 27, 1998 by
Prasad Dabak, Sandeep Phadke and Milind Borate
VERSIONS AFFECTED
Windows NT 3.51, 4.0, and 5.0 Beta 1 and 2
Windows NT 4.0 Terminal Server
DESCRIPTION
By exploiting existing Windows NT services, an application can locate a certain API call in memory (OpenProcess), modify the
instructions in a running instance, and gain Debug level access to the system, where it then grants the currently logged-in user
complete membership to the Administrators group in the local SAM database.
Microsoft's Security Bulletin states:
Specifically, the exploit program does the following:
Locates the memory address of a particular API function used by the DebugActiveProcess function.
Modifies the instructions at that address to return success in a failure case.
Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is
performed. The server side component of DebugActiveProcess does not correctly check for valid access to the target
process.
Creates a thread in the victim process that runs code from an accompanying DLL This thread will add the user running the
program to the local administrators group.
DEMONSTRATION
To download the demonstration program code, click here
The following describes how any normal (non-administrative) user on a Windows NT system can instantly gain administrative
control for the entire machine by running a simple executable program.
Requirements: You need to have a machine running the retail/free build of Windows NT 4.0, 3.51, or even Windows NT 5.0 beta --
either Workstation or Server will do.
1. Login on your NT machine: Login as any non-admin user on the machine (even guest account will do). You may verify that the
logged in user does not possess admin privilege at this time by trying to run the "windisk" program from the shell. This should fail
since the user does not have admin privilege.
2. Copy: After logging in, copy the software (sechole.exe and admindll.dll) onto your hard disk in any directory that allows you
write and execute access.
3. Run SecHole.Exe : After running the program, your system might become unstable or possibly lock up.
4. Reboot the machine if necessary: You will see that the non-admin user now belongs to the Administrators group. This means
that the user has complete admin control over that machine -- for instance, you will be able to run programs like "windisk", create
new users, delete existing users, install drivers, even format hard disks.
FURTHER COMMENTS FROM THE AUTHORS:
SECHOLE.EXE is designed only to work on the workstation/server machine it is executed on. Using the same technique, it is possible
to gain domain-level Administrator control over the entire Windows NT network, provided certain other conditions are met. The
example program SECHOLE.EXE is not designed to demonstrate this additional vulnerability.
[NOTE: Microsoft informs The NT Shop that remoting this exploit is not possible. We personally think it may be usable against a
remote IIS system via a browser, which may grant the IUSR_MACHINENAME acct undue authority. ]
We (Prasad Dabak, Sandeep Phadke and Milind Borate) have written a book entitled "Undocumented Windows NT" for O'Reilly &
Associates. The book discusses a host of undocumented NT API calls -- something every serious programmer must have. The book
also discusses the security holes and risks posed by Windows NT operating system.
The complete manuscript of the book is ready to go. O'Reilly has decided not to publish the book for reasons not related to the
contents or its authors, thus, the authors are looking for a new publisher for the book. Interested publishers should contact us
at psdabak@hotmail.com, milind@cyberspace.org and sandeepsandeep@hotmail.com
In the continued absence of interested publishers, the authors will make the book available online for a cost. Two previously posted
samples from the book may be reviewed at:
http://www.sonic.net/~undoc/ntaddsys.html
http://www.sonic.net/~undoc/ntcallgate.html
If you are interested in getting the first copies of the book send email to: psdabak@hotmail.com -- the book should be available soon.
COMMENTS:
[The following comments were sent to us by David LeBlanc]
The sechole exploit is local in scope unless there is a service running on the system which is running under a domain account. If it can
attach to a service running under a context other than the local system, the code could be executed as that user. It is fairly trivial to
replace the DLL which comes with the exploit to cause it to take other actions. However, if the lsa2-fix is not applied, the local user
who has just become local admin can obtain the password of the domain user for the service and obtain the rights of that user in that
manner. The lsa2-fix makes this more difficult (though not impossible).
Another area where sechole can be used to cause problems would be if ordinary users were allowed to place HTML content directly
onto the web server. The #exec directive causes a HTML page to execute a command and direct the output to the client, and it is
enabled by default in IIS 4.0. If a user were to place sechole.exe, the DLL and a web page which invokes sechole onto a web server,
the IUSR_Machine account would then become admin. I would recommend disabling this feature for any web site directories where
non-administrative users are allowed to place files.
David LeBlanc
dleblanc@mindspring.com
SOLUTION
Load the proper hotfix -- U.S. version fixes are listed below. International users should check Microsoft's FTP directory for proper
hotfix versions.
07/28/98 12:28AM 135,104 privfixa.exe
07/28/98 12:28AM 94,704 privfixi.exe
07/27/98 11:28PM 5,018 Q190288.TXT
07/27/98 11:36PM 690 Readme.txt