Microsoft Security Bulletin MS98-009 - Critical
Update Available for Windows NT Privilege Elevation Attack
Published: July 27, 1998
Last Revision: July 27, 1998
Recently Microsoft was notified by Mark Joseph Edwards (http://www.ntshop.net) of a Privilege Elevation vulnerability on Microsoft® Windows NT® operating system. A program called sechole.exe written by Prasad Dabak, Sandeep Phadke and Milind Borate (email@example.com, firstname.lastname@example.org and email@example.com) exploits this vulnerability, and was published on the Internet. Sechole.exe performs a sophisticated set of steps to allow a non-administrative user who is logged on locally (at the console of a system) to gain debug-level access on a system process. Using this program, the non-administrative user is able to run arbitrary code in the system security context and thereby grant himself or herself local administrative privileges on the local system.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers.
This exploit can potentially allow a non-administrative user to gain local administrative access to the system and thereby elevate his or her privileges on the system. In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to logon locally to the system.
Sensitive systems such as the Windows NT Domain Controllers, where non-administrative users do not have any local logon rights by default, are not susceptible to this threat. The attack cannot be used over the network to get domain administrative privileges remotely.
In this attack, a non-administrative user obtains administrative access to the system by virtue of being able to gain debug-level access on a system process.
Specifically, the exploit program does the following:
- Locates the memory address of a particular API function used by the DebugActiveProcess function.
- Modifies the instructions at that address to return success in a failure case.
- Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is performed. The server-side component of DebugActiveProcess does not correctly check for valid access to the target process.
- Creates a thread in the victim process that runs code from an accompanying dynamic-link library (DLL). This thread will add the user running the program to the local administrators group.
The hot fixes listed below ensure that the access check to grant any rights is done correctly by the server.
Affected Software Versions
- Windows NT Workstation versions 3.51 and 4.0
- Windows NT Server versions 3.51 and 4.0
- Windows NT Server, Terminal Server Edition, version 4.0
Vulnerability Identifier: CVE-1999-0344
What Microsoft Is Doing
Microsoft has posted hot fixes to address this problem:
Fix for Microsoft Windows NT 4.0 x86 version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hot fixes-postSP3/priv-fix/privfixi.exe
Fix for Microsoft Windows NT 4.0 Alpha version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hot fixes-postSP3/priv-fix/privfixa.exe
Fix for Microsoft Windows NT 3.51 x86 version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hot fixes-postSP5/priv-fix/privfixi.exe
Fix for Microsoft Windows NT 3.51 Alpha version - ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hot fixes-postSP5/priv-fix/privfixa.exe
Fix for Microsoft Windows NT Server Terminal Server Edition, version 4.0 - This fix will be released shortly. When it is available, http://www.microsoft.com/technet/security will carry an announcement that provides the location of the fix.
What Customers Should Do
Microsoft highly recommends that customers using Windows NT operating systems immediately apply the appropriate hot fixes to their systems.
Please see the following references for more information related to this issue:
- Microsoft Security Bulletin 98-009, Update Available for Windows NT Privilege Elevation attack (the Web-posted version of this bulletin), http://www.microsoft.com/technet/security/bulletin/ms98-009.mspx
- Microsoft Knowledge Base article 190288, SecHole lets Non-administrative Users Gain Debug Level Access http://support.microsoft.com/default.aspx?scid=kb;en-us;190288&sd=tech. This article will not be posted until July 30. In the meantime, it can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/190288.txt
- July 27, 1998: Bulletin Created
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00