July 27, 1998, (NTSD) - Three gentlemen from India have been kind enough to reveal to The NT Shop (http://www.ntshop.net or http://www.ntsecurity.net) a serious hole in Windows NT systems (any version of Workstation or Server) that readily grants the user complete membership to the Administrators group. According to the discovers, this exploit works against all versions of WinNT, including WinNT 5.0 betas, and may also be possible against a domain controllers in certain circumstances -- this is yet unconfirmed and un-demonstrated as far as I know. Their sample program, SECHOLE.EXE, only exploits the *LOCAL* user database. THE EXPLOIT, IN A NUTSHELL: by using existing Windows NT services, an application can locate a certain API call in memory, modify the instructions in a running instance, and gain debug-level access to the system, where it then grants the currently logged-in user complete membership to the Administrators group in the local user database. The NT Shop has reported this problem to Microsoft -- we've been in close contact with their security folks since last week, and are told a fix is ready -- I suspect they'll release a bulletin in the next 24 hours. For more information on the problem, as well as a brief interview with the discovers and a working copy of the program demonstrating this serious problem, visit our Web site where you'll find the page link at the top of the list in the left window frame. Mark http://www.ntsecurity.net or http://www.ntshop.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:39 PDT