BindView Security Advisory
--------

Local promotion vulnerability in NT4's NTLM Security Support Provider
Issue Date: February 7, 2001
Contact: tsabinrazor.bindview.com

Topic:
Local promotion vulnerability in NT4's NTLM Security Support Provider

Overview:

Due to a flaw in the NTLM Security Support Provider's handling of
client requests, it is possible for local users to send requests to
the privileged server and make the server execute arbitrary code of
the user's choosing.

Affected Systems:
Windows NT 4.0 up to and including SP6a
Windows 2000 is _not_ affected

Impact:
All Windows NT 4.0 machines are subject to compromise by any user who
can log in locally and run arbitrary programs. This could possibly
lead to Domain Admin access, if Domain Admin credentials are on the
machine. In the case of Terminal Server, it should also be possible
to use the credentials of other users on the compromised machine to
take actions across the network as those other users.

Details:

The NTLM Security Support Provider (NTLMSSP) service is found in
ntlmssps.dll and is hosted by services.exe. It handles most of the
cryptographic calculations behind the NTLM protocol for clients. It
listens for client connections on the LPC port at
\NtLmSecuritySupportProviderPort. Once a client connects, it sends
requests to the NTLMSSP to handle the various steps in the NTLM
protocol. The client indicates which function it wants done by
putting the proper function number in the first 32bit word of its LPC
request to the NTLMSSP. The NTLMSSP then uses this number to index a
call table and calls the associated function. The NTLMSSP _does_
perform a check on the function number to verify it's legal, but it
does this check incorrectly, treating the index as signed instead of
unsigned, so the check can be bypassed simply by making the number
negative.

So, the client can use more or less any index it wants to, but what
can it use to jump somewhere useful? Well, it happens that the
NtConnectPort api which is used to connect to
\NtLmSecuritySupportProviderPort allows the client to map a shared
memory section into the server's address space, and is even kind
enough to tell the client what address it was mapped at. The client
can then calculate the proper index to call through a pointer in the
first 32bits of that section, and put a pointer there to the rest of
the section. He can then fill that with whatever code he wants. When
he makes the proper request to the NTLMSSP, it will then call through
to his code, and execute it as SYSTEM.

Workarounds:
None known.

Recommendations:

Install the hotfix from Microsoft, when available.

Limit local logon privileges, if possible.

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-008.asp

Microsoft's FAQ:
http://www.microsoft.com/technet/security/bulletin/fq01-008.asp

Microsoft's Hotfix:
NT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=280119
(should be available shortly)

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]