Hello All,

I would like to report a vulnerability in Windows NT/2000 which allows a
user with local admin privileges on a member server/workstation to elevate
their privileges in a Windows NT/2000 domain. This problem is related to
Windows NT services and is only exists if the an service exists on the local
computer which uses a privileged domain account to logon.

Systems Affected

Windows NT / 2000

A user with local administrator privileges to a workstation or server which
is a member of a domain can elevate their privileges if a service exists on
the local computer with higher rights than the user. Eg If the service is
configured to start with an account which has domain administrator
privileges.

To take advantage to this, a user modifies the parameters for the service
which starts with higher privileges to start an application or run a command
of their choice. After restarting the service, the command/application is
executed in the context of the account used to start the service.

To replicate this do the following.

1. Find a service on the local computer which has the Startup Account as a
Domain Administrator account.
2. Using the regedt32.exe, in the registry search for the key corresponding
to the service under HKLM\System\CCS\Services\
3. In the key corresponding to the service, replace the ImagePath value with
the following

<path to ntreskit folder>\srvany.exe eg. c:\ntreskit\srvany.exe

4. Replace the Type with 0x110.
5. Create a subkey called Parameters and add a value called Application with
the following value

c:\winnt\system32\cmd.exe /k net user user123 password /add /domain

6. In the services application in Control Panel, start and stop the service
which was modified in steps 3 and 4.
7. An account user123 will be created in the domain.
8. Modify the Application value in step 5 with the following value.

c:\winnt\system32\cmd.exe /k net localgroup administrators user123 /add
/domain

9. In the services õÿplication in Control Panel, start and stop the service
which was modified in steps 3 and 4.
10. The user123 account is added to the administrators local group on the
domain controllers.

Note: If all services on the local computer do not use domain accounts then
the computer is not vulnerable. To reproduce the problem on a computer
without services running using a domain account, configure an existing
service to start with a domain account with membership to the domain
administrators group. This service should be of type 0x10 or 0x110. Then
continue with step 2.

Similar steps can be used to add the user to the domain administrators group
using different utilities. Other variations are possible. This was tested on
a Windows NT 4.0 workstation running in a Windows NT 4.0 domain. Service
Pack 4. This was also reproduced on a Windows 2000 computer running in a
Windows 2000 domain. Service Pack 1.

Possible attacks include exploiting a buffer overflow on a Web Server which
is a member of a domain giving local system access. Privileges may be then
be elvevated from local system to domain admin in the appropriate
environment.

Workaround

Restrict service accounts to run without domain adminstrator privileges. It
is prudent to ensure that all service accounts are configure with the
minimal level of privileges required.

Microsoft was notified on 17th April 2001.

Disclaimer:

The usual disclaimer applies. The opinions expressed in this advisory are my
own. No responsibility can be taken for misuse of this advisory.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]