Gain Local Administrator Access on NT Reported July 27, 1998 by Prasad Dabak, Sandeep Phadke and Milind Borate VERSIONS AFFECTED Windows NT 3.51, 4.0, and 5.0 Beta 1 and 2 Windows NT 4.0 Terminal Server DESCRIPTION By exploiting existing Windows NT services, an application can locate a certain API call in memory (OpenProcess), modify the instructions in a running instance, and gain Debug level access to the system, where it then grants the currently logged-in user complete membership to the Administrators group in the local SAM database. Microsoft's Security Bulletin states: Specifically, the exploit program does the following: Locates the memory address of a particular API function used by the DebugActiveProcess function. Modifies the instructions at that address to return success in a failure case. Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is performed. The server side component of DebugActiveProcess does not correctly check for valid access to the target process. Creates a thread in the victim process that runs code from an accompanying DLL This thread will add the user running the program to the local administrators group. DEMONSTRATION To download the demonstration program code, click here The following describes how any normal (non-administrative) user on a Windows NT system can instantly gain administrative control for the entire machine by running a simple executable program. Requirements: You need to have a machine running the retail/free build of Windows NT 4.0, 3.51, or even Windows NT 5.0 beta -- either Workstation or Server will do. 1. Login on your NT machine: Login as any non-admin user on the machine (even guest account will do). You may verify that the logged in user does not possess admin privilege at this time by trying to run the "windisk" program from the shell. This should fail since the user does not have admin privilege. 2. Copy: After logging in, copy the software (sechole.exe and admindll.dll) onto your hard disk in any directory that allows you write and execute access. 3. Run SecHole.Exe : After running the program, your system might become unstable or possibly lock up. 4. Reboot the machine if necessary: You will see that the non-admin user now belongs to the Administrators group. This means that the user has complete admin control over that machine -- for instance, you will be able to run programs like "windisk", create new users, delete existing users, install drivers, even format hard disks. FURTHER COMMENTS FROM THE AUTHORS: SECHOLE.EXE is designed only to work on the workstation/server machine it is executed on. Using the same technique, it is possible to gain domain-level Administrator control over the entire Windows NT network, provided certain other conditions are met. The example program SECHOLE.EXE is not designed to demonstrate this additional vulnerability. [NOTE: Microsoft informs The NT Shop that remoting this exploit is not possible. We personally think it may be usable against a remote IIS system via a browser, which may grant the IUSR_MACHINENAME acct undue authority. ] We (Prasad Dabak, Sandeep Phadke and Milind Borate) have written a book entitled "Undocumented Windows NT" for O'Reilly & Associates. The book discusses a host of undocumented NT API calls -- something every serious programmer must have. The book also discusses the security holes and risks posed by Windows NT operating system. The complete manuscript of the book is ready to go. O'Reilly has decided not to publish the book for reasons not related to the contents or its authors, thus, the authors are looking for a new publisher for the book. Interested publishers should contact us at psdabak@hotmail.com, milind@cyberspace.org and sandeepsandeep@hotmail.com In the continued absence of interested publishers, the authors will make the book available online for a cost. Two previously posted samples from the book may be reviewed at: http://www.sonic.net/~undoc/ntaddsys.html http://www.sonic.net/~undoc/ntcallgate.html If you are interested in getting the first copies of the book send email to: psdabak@hotmail.com -- the book should be available soon. COMMENTS: [The following comments were sent to us by David LeBlanc] The sechole exploit is local in scope unless there is a service running on the system which is running under a domain account. If it can attach to a service running under a context other than the local system, the code could be executed as that user. It is fairly trivial to replace the DLL which comes with the exploit to cause it to take other actions. However, if the lsa2-fix is not applied, the local user who has just become local admin can obtain the password of the domain user for the service and obtain the rights of that user in that manner. The lsa2-fix makes this more difficult (though not impossible). Another area where sechole can be used to cause problems would be if ordinary users were allowed to place HTML content directly onto the web server. The #exec directive causes a HTML page to execute a command and direct the output to the client, and it is enabled by default in IIS 4.0. If a user were to place sechole.exe, the DLL and a web page which invokes sechole onto a web server, the IUSR_Machine account would then become admin. I would recommend disabling this feature for any web site directories where non-administrative users are allowed to place files. David LeBlanc dleblanc@mindspring.com SOLUTION Load the proper hotfix -- U.S. version fixes are listed below. International users should check Microsoft's FTP directory for proper hotfix versions. 07/28/98 12:28AM 135,104 privfixa.exe 07/28/98 12:28AM 94,704 privfixi.exe 07/27/98 11:28PM 5,018 Q190288.TXT 07/27/98 11:36PM 690 Readme.txt