OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: [ NT SECURITY ALERT ] New Local GetAdmin Exploit

[ NT SECURITY ALERT ] New Local GetAdmin Exploit

MJE (markNTSHOP.NET)
Mon, 27 Jul 1998 19:34:58 -0600 

July 27, 1998, (NTSD) - Three gentlemen from India have been kind enough to
reveal to The NT Shop (http://www.ntshop.net or http://www.ntsecurity.net) a
serious hole in Windows NT systems (any version of Workstation or Server)
that readily grants the user complete membership to the Administrators
group.

According to the discovers, this exploit works against all versions of
WinNT, including WinNT 5.0 betas, and may also be possible against a domain
controllers in certain circumstances -- this is yet unconfirmed and
un-demonstrated as far as I know. Their sample program, SECHOLE.EXE, only
exploits the *LOCAL* user database.

THE EXPLOIT, IN A NUTSHELL: by using existing Windows NT services, an
application can locate a certain API call in memory, modify the instructions
in a running instance, and gain debug-level access to the system, where it
then grants the currently logged-in user complete membership to the
Administrators group in the local user database.

The NT Shop has reported this problem to Microsoft -- we've been in close
contact with their security folks since last week, and are told a fix is
ready -- I suspect they'll release a bulletin in the next 24 hours.

For more information on the problem, as well as a brief interview with the
discovers and a working copy of the program demonstrating this serious
problem, visit our Web site where you'll find the page link at the top of
the list in the left window frame.

Mark
http://www.ntsecurity.net or http://www.ntshop.net