Just a small FYI.

Mitre has assigned CVE CAN-2001-0016 to this issue.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Steve Manzuik smanzuikrazor.bindview.com
Security Analyst phone: (403)660-2997
BindView RAZOR Team fax: (403)203-3010
http://razor.bindview.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

>
>BindView Security Advisory
>--------
>
>Local promotion vulnerability in NT4's NTLM Security Support Provider
>Issue Date: February 7, 2001
>Contact: tsabinrazor.bindview.com
>
>Topic:
>Local promotion vulnerability in NT4's NTLM Security Support Provider
>
>Overview:
>
>Due to a flaw in the NTLM Security Support Provider's handling of
>client requests, it is possible for local users to send requests to
>the privileged server and make the server execute arbitrary code of
>the user's choosing.
>
>Affected Systems:
>Windows NT 4.0 up to and including SP6a
>Windows 2000 is _not_ affected
>
>Impact:
>All Windows NT 4.0 machines are subject to compromise by any user who
>can log in locally and run arbitrary programs. This could possibly
>lead to Domain Admin access, if Domain Admin credentials are on the
>machine. In the case of Terminal Server, it should also be possible
>to use the credentials of other users on the compromised machine to
>take actions across the network as those other users.
>
>Details:
>
>The NTLM Security Support Provider (NTLMSSP) service is found in
>ntlmssps.dll and is hosted by services.exe. It handles most of the
>cryptographic calculations behind the NTLM protocol for clients. It
>listens for client connections on the LPC port at
>\NtLmSecuritySupportProviderPort. Once a client connects, it sends
>requests to the NTLMSSP to handle the various steps in the NTLM
>protocol. The client indicates which function it wants done by
>putting the proper function number in the first 32bit word of its LPC
>request to the NTLMSSP. The NTLMSSP then uses this number to index a
>call table and calls the associated function. The NTLMSSP _does_
>perform a check on the function number to verify it's legal, but it
>does this check incorrectly, treating the index as signed instead of
>unsigned, so the check can be bypassed simply by making the number
>negative.
>
>So, the client can use more or less any index it wants to, but what
>can it use to jump somewhere useful? Well, it happens that the
>NtConnectPort api which is used to connect to
>\NtLmSecuritySupportProviderPort allows the client to map a shared
>memory section into the server's address space, and is even kind
>enough to tell the client what address it was mapped at. The client
>can then calculate the proper index to call through a pointer in the
>first 32bits of that section, and put a pointer there to the rest of
>the section. He can then fill that with whatever code he wants. When
>he makes the proper request to the NTLMSSP, it will then call through
>to his code, and execute it as SYSTEM.
>
>
>Workarounds:
>None known.
>
>Recommendations:
>
>Install the hotfix from Microsoft, when available.
>
>Limit local logon privileges, if possible.
>
>
>References:
>
>Microsoft's security bulletin:
>http://www.microsoft.com/technet/security/bulletin/MS01-008.asp
>
>Microsoft's FAQ:
>http://www.microsoft.com/technet/security/bulletin/fq01-008.asp
>
>Microsoft's Hotfix:
>NT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804
>
>Microsoft's Knowledge Base article:
>http://www.microsoft.com/technet/support/kb.asp?ID=280119
>(should be available shortly)

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]