Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2698
HistoryMar 30, 2002 - 12:00 a.m.

Local Security Vulnerability in Windows NT and Windows 2000

2002-03-3000:00:00
vulners.com
25
JSON
  • LOCAL SECURITY VULNERABILITY IN WINDOWS NT AND WINDOWS 2000

Radim "EliCZ" Picha ([email protected]) discovered a vulnerability in
Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit
that shows the weakness of a local Windows NT/2000 security and totally
compromises entire security subsystem.

DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user
with ANY privileges (even Guest and Restricted user) to execute processes in
the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can
became an administrator and do everything he/she wants.

Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to
Target (any process running on the local computer):

  1. Become dbgss client (DbgUiConnectToDbg).

  2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port
    (ZwConnectPort). Everyone can access this port.

  3. Ask dbgss to handle CreateProcess SsApi with Target's client id
    (ZwRequestPort).

  4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
    (WaitForDebugEvent). Message contains a duplicated handle.

  5. Impersonate your security context using a duplicated handle.

  6. Execute any code (e.g. run an external program) in the security context
    of Target.

Download DebPloit with a source code from
http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip

To test your system for this vulnerability:

  1. Download DebPloit.zip and unzip it to the directory on your hard drive.

  2. Logoff and login again using Guest (or any other non-administrative
    account) account.

  3. Run ERunAsX.exe from the command line and specify a program you wish to
    execute under the SYSTEM account (e.g. "ERunAsX.exe cmd").

  4. Your program now runs under the SYSTEM account and you can do everything
    (e.g. create new user with an administrative privileges) on the local
    computer.

  • HOTFIX

To close this hole and protect your computers and network against attacks
from the inside, you can use an unofficial hotfix released by SmartLine,
Inc.

DebPloitFix is a hotfix that closes the security hole using by the DebPloit
exploit. DebPloitFix is implemented as a kernel mode driver that can be run
dinamically (no need to restart your system). DebPloitFix assigns the new
security descriptor to the DbgSsApiPort LPC port so only the local system
(SYSTEM user) will be able to access this port.

Download DebPloitFix with a source code from
http://www.smartline.ru/software/DebPloitFix.zip

For more information, please visit http://www.ntutility.com/freeware.html

JSON