Gain Local Administrator Access on NT
                                          Reported July 27, 1998 by 
                                    Prasad Dabak, Sandeep Phadke and Milind Borate

   VERSIONS AFFECTED

          Windows NT 3.51, 4.0, and 5.0 Beta 1 and 2 
          Windows NT 4.0 Terminal Server 

   DESCRIPTION

   By exploiting existing Windows NT services, an application can locate a certain API call in memory (OpenProcess), modify the
   instructions in a running instance, and gain Debug level access to the system, where it then grants the currently logged-in user
   complete membership to the Administrators group in the local SAM database.

   Microsoft's Security Bulletin states:

   Specifically, the exploit program does the following: 

          Locates the memory address of a particular API function used by the DebugActiveProcess function. 
          Modifies the instructions at that address to return success in a failure case. 
          Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is
          performed. The server side component of DebugActiveProcess does not correctly check for valid access to the target
          process. 
          Creates a thread in the victim process that runs code from an accompanying DLL This thread will add the user running the
          program to the local administrators group. 

   DEMONSTRATION

   To download the demonstration program code, click here

   The following describes how any normal (non-administrative) user on a Windows NT system can instantly gain administrative
   control for the entire machine by running a simple executable program.

   Requirements: You need to have a machine running the retail/free build of Windows NT 4.0, 3.51, or even Windows NT 5.0 beta --
   either Workstation or Server will do. 

   1. Login on your NT machine: Login as any non-admin user on the machine (even guest account will do). You may verify that the
   logged in user does not possess admin privilege at this time by trying to run the "windisk" program from the shell. This should fail
   since the user does not have admin privilege. 

   2. Copy: After logging in, copy the software (sechole.exe and admindll.dll) onto your hard disk in any directory that allows you
   write and execute access. 

   3. Run SecHole.Exe : After running the program, your system might become unstable or possibly lock up. 

   4. Reboot the machine if necessary: You will see that the non-admin user now belongs to the Administrators group. This means
   that the user has complete admin control over that machine -- for instance, you will be able to run programs like "windisk", create
   new users, delete existing users, install drivers, even format hard disks.

   FURTHER COMMENTS FROM THE AUTHORS:

   SECHOLE.EXE is designed only to work on the workstation/server machine it is executed on. Using the same technique, it is possible
   to gain domain-level Administrator control over the entire Windows NT network, provided certain other conditions are met. The
   example program SECHOLE.EXE is not designed to demonstrate this additional vulnerability. 

   [NOTE: Microsoft informs The NT Shop that remoting this exploit is not possible. We personally think it may be usable against a
   remote IIS system via a browser, which may grant the IUSR_MACHINENAME acct undue authority. ]

   We (Prasad Dabak, Sandeep Phadke and Milind Borate) have written a book entitled "Undocumented Windows NT" for O'Reilly &
   Associates. The book discusses a host of undocumented NT API calls -- something every serious programmer must have. The book
   also discusses the security holes and risks posed by Windows NT operating system. 

   The complete manuscript of the book is ready to go. O'Reilly has decided not to publish the book for reasons not related to the
   contents or its authors, thus, the authors are looking for a new publisher for the book. Interested publishers should contact us
   at psdabak@hotmail.com, milind@cyberspace.org and sandeepsandeep@hotmail.com 

   In the continued absence of interested publishers, the authors will make the book available online for a cost. Two previously posted
   samples from the book may be reviewed at:

   http://www.sonic.net/~undoc/ntaddsys.html 
   http://www.sonic.net/~undoc/ntcallgate.html 

   If you are interested in getting the first copies of the book send email to: psdabak@hotmail.com -- the book should be available soon.

   COMMENTS:

   [The following comments were sent to us by David LeBlanc]

   The sechole exploit is local in scope unless there is a service running on the system which is running under a domain account. If it can
   attach to a service running under a context other than the local system, the code could be executed as that user. It is fairly trivial to
   replace the DLL which comes with the exploit to cause it to take other actions. However, if the lsa2-fix is not applied, the local user
   who has just become local admin can obtain the password of the domain user for the service and obtain the rights of that user in that
   manner. The lsa2-fix makes this more difficult (though not impossible).

   Another area where sechole can be used to cause problems would be if ordinary users were allowed to place HTML content directly
   onto the web server. The #exec directive causes a HTML page to execute a command and direct the output to the client, and it is
   enabled by default in IIS 4.0. If a user were to place sechole.exe, the DLL and a web page which invokes sechole onto a web server,
   the IUSR_Machine account would then become admin. I would recommend disabling this feature for any web site directories where
   non-administrative users are allowed to place files. 

   David LeBlanc
   dleblanc@mindspring.com

   SOLUTION

   Load the proper hotfix -- U.S. version fixes are listed below. International users should check Microsoft's FTP directory for proper
   hotfix versions.

    07/28/98   12:28AM   135,104   privfixa.exe 
    07/28/98   12:28AM    94,704   privfixi.exe
    07/27/98   11:28PM     5,018   Q190288.TXT 
    07/27/98   11:36PM       690   Readme.txt