OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Alert: Microsoft Security Bulletin (MS98-009) - Increased
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alert: Microsoft Security Bulletin (MS98-009) - Increased Privs.


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: Alert: Microsoft Security Bulletin (MS98-009) - Increased Privs.
  • From: Jason Adam Young <jason_youngNCSU.EDU>
  • Date: Wed, 29 Jul 1998 09:48:17 -0400
  • Comments: To: securemicrosoft.com
  • Comments: cc: NTSECURITYlistserv.ntbugtraq.com
  • In-Reply-To: <199807280517.BAA11518cc09ss.unity.ncsu.edu>
  • Reply-To: Jason Adam Young <jason_youngNCSU.EDU>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Running this on some of our client systems displays
the error message:

"You do not have file add permission in Windows directory
 Unable to reproduce security hole"

(thanks for the error message folks)  Giving the user
group add will make the program work correctly.

So, apparently one has to have add access to %SystemRoot%
(filemon shows it's mostly system32, with one file in
%SystemRoot% called u.ini) for this to work

(which violates every security document
recommendation that I've seen - most especially
Microsoft's own document)

Is this correct?  Can somebody that
knows a lot more about this than I do verify this?
This is a problem and security hole, and I think
that not having the file system rights may mask
the real problem.  But apparently having the
appropriate filesystem permissions prevents this.


Jason
----------------------------------------------
    Jason Adam Young, jason_youngncsu.edu
    NC State University Computing Services


> -----Original Message-----
> From: Windows NT BugTraq Mailing List
> [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
> Sent: Tuesday, July 28, 1998 1:09 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Alert: Microsoft Security Bulletin (MS98-009) - Increased
> Privs.
>
>
> Microsoft have released a Security Bulletin
> <http://www.microsoft.com/security/bulletins/ms98-009.htm> which covers
> a potential attack allowing a local console user to increase their
> privilege through the DebugActiveProcess privilege, thereby allowing
> them to become a local Administrator or perform an action normally
> reserved for privileged users. The bulletin includes a link to a fix.
>
> Recently Microsoft was notified by Mark Joseph Edwards
> <http://www.ntshop.net> <http://www.ntsecurity.net> of a Privilege
> Elevation vulnerability on Microsoft(r) Windows NT(r). A program called
> sechole.exe written by Prasad Dabak, Sandeep Phadke and Milind Borate
> (psdabakhotmail.com, sandeepsandeephotmail.com and
> milindcyberspace.org) exploits this vulnerability, and was published on
> the Internet.
>
> Mark has more information on the problem, as well as a brief interview
> with the discovers and a working copy of the program demonstrating this
> serious problem. Visit his Web site where you'll find the page link at
> the top of the list in the left window frame.
>
> Cheers,
> Russ
>