Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2638
HistoryMar 15, 2002 - 12:00 a.m.

DebPloit (exploit)

2002-03-1500:00:00
vulners.com
24

DebPloit allows Everyone to get handle to Any process or thread.
Handles have enough access to promote everyone to system/admin (in
the case Target is running under LocalSystem, Administrator account).

Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
Former NTs weren't tested.

Discovered: Mar-09-2002.
Author: Radim "EliCZ" Picha. [email protected]. http://www.anticracking.sk/EliCZ.

Details: Exploit\DebPloit.h.

Principle: Ask debugging subsystem (lives in smss.exe) to create (duplicate)
handle(s) to Target for you:
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to DbgSsApiPort LPC port (ZwConnectPort).
Everyone has access to this port.
3. Ask dbgss to handle CreateProcess SsApi with client id
(or pid or tid only) of Target (ZwRequestPort).
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
(WaitForDebugEvent). Message contains duplicated handle(s).
5. When debugger's thread terminates (e.g. on logoff), Target process
or thread is terminated too (like it was regularly debugged).

How MS will solve this problem:
*) Impersonate requesting thread (or client of port); try to open Target
pid or tid; revert to self. If open failed, refuse request/debugging/
duplication (csrss does it this way).
) Put restrictions on DbgSsApiPort port : don't use WORLD SID, …
[
) move dbgss to kernel like in Windows XP ;)]
I will tell you which solution MS used after the next hotfix or SP will
be out.

How administrators can solve this problem:
*) Modify smss.exe file (one-byte change). See HotFix directory.
*) Hook NtConnectPort and refuse non-system/admin connections to DbgSsApiPort.
*) Modify security descriptor of the port object in kernel memory, …

Notes: It's interesting for how long (~6 years) was this "possibility" available.
The "beauty" of this "exploit" is that it is supported by OS. No overflows,
no buggy drivers, no invalid pointers, no syscalls, no patching.

EliCZ, Mar-11-2002