|
<<
^
>>
Date: 1999-02-19
NT-Exploit: L0pht stopft Bills Loch
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- Neues Sicherheitsloch in NT entdeckt, das zugängsmässig
unterprivilegierten, aber geschickten Usern zu
Administratorenrechten im lokalen Netz verhilft
- erklärt, wie es ein Böser nutzen kann
- sodann einen Patch geschrieben, der die schlimme Lücke füllt
So sind sie halt, die fixen Boyz von L0pht.
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
dildog@l0pht.com
February 18, 1999 Application: Microsoft Windows NT 4.0 Severity:
any local user can gain administator privileges and/or take full control
over the systemMicrosoft Windows NT 4.0 implements a system-
wide cache of file-mapping objects for the purpose of loading system
dynamic link libraries (DLLs) as quickly as possible. These cache
objects, located in the system's internal object namespace, are
created with permissions such that the 'Everyone' group has full
control over them. Hence, it is possible to delete these cache
objects and replace them with others that point to different DLLs.
When processes are created, the loader maps/loads the loading
executable's imported DLLs into the process space. If there is a DLL
cache object available, it is simply mapped into the process space,
rather than going to the disk. Hence, there is an exploitable
condition, when a low-privilege user replaces a DLL in the cache with
a trojan DLL, followed by a high-privelege account launching a
process. The high priveleged process will map in the trojan DLL and
execute code on behalf of the low privelege use r.
--- Affected systems: ---
Windows NT 4.0 Server SP4 Windows NT 4.0 Workstation SP4
Other service packs are likely to be vulnerable, but the exploit has
not been tested on them, neither has the fix presented below.
--- Description : ---
The Windows NT object namespace is the place where the kernel
keeps the names of mutexes, semaphores, filemapping objects, and
other kernel objects. It is organized hierarchically, like a directory
structure. Amongst the directories are:
\Device \BaseNamedObjects \Driver \KnownDlls ...
The NT object namespace is browsable with a tool called 'WinObj
2.0' from System Internals (their website is
http://www.sysinternals.com). You may wish to look around this
namespace and browse the default permissions of objects. It is quiet
entertaining, really.
The "\Knowndlls" directory contains a list of DLLs in the
c:\winnt\system32 directory, like:
\KnownDlls\COMCTL32.dll \KnownDlls\MPR.dll
\KnownDlls\advapi32.dll \KnownDlls\kernel32.dll ..
All of these objects are created at boot time, and are 'permanent
shared objects'. Normally, users can not create permanent shared
objects (it's an advanced user right, and it is normally not assigned
to any group, even Administrators). But the system pr eloads this
cache for you. Permanent shared objects differ from regular shared
objects only in the fact that they have a flag set, and an incremented
reference count, such that if you create one, and then terminate the
creating process or close all handle s to the object, it does not
disappear from the object space.
To exploit the poor permissions on this cache, one first needs to
delete one of the shared objects by name, in order to later replace it.
So we make a call to the NTDLL.DLL native function
"OpenSection()", getting a handle to the object. Then we call the
NTOSKRNL.EXE native function "ZwMakeTemporaryObject()" which
removes the 'permanent' flag and decrements the reference counter
from the object. Now we just call NTDLL.DLL:NtClose() on the handle
and it is destroyed.
....
To try out this vulnerability, obtain an account as a low-privilege
guest user (referred to as 'Dick') and do the following:
....
full text
http://www.l0pht.com/advisories.html
relayed by
dildog@l0pht.com via russ@ntbugtraq.com
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 1999-02-19
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|