Cybermedia Software has found the following vulnerability: < http://www.cybermedia.co.in/NT%20Security/SS%20vulnerability.htm > Screen Saver vulnerability Description: The Screen Saver is started by Winlogon.Exe whenever the machine is idle for the specified amount of time. Screen Saver setting is a per user property and every user has right to set his own screen saver. The screen saver is started by Winlogon.Exe, initially in a suspended mode using CreateProcess API call. Once Winlogon.Exe gets the process handle to screen saver, it changes the primary security token of the screen saver to that of the logged in user and then resumes the screen saver process. This is done for security reasons. If Winlogon were to NOT do this, then screen saver would run with the security context of Winlogon.Exe (which runs in system context). Problem: The Winlogon.Exe DOES NOT check whether the changing of Primary token is successful. Hence if setting of primary token fails due to some reason, the screen saver binary will run in system context and be able to do whatever it pleases (e.g adding the logged in user to admin group). Simulation: On Windows NT 3.51 and all its service packs, Windows NT 4.0 with Service Pack 1, and NT 5.0 beta1 and beta2, when an MS-DOS application is spawned, the returned process handle is junk (rather it is a special event handle). The simulation consists of one 32-bit application say BEADMIN.EXE and one MS-DOS based application, say SCRNSAVE.EXE. The BEADMIN.EXE when started does the following * Creates one event in `not-signal'ed state * Sets up the screen saver. The screen saver executable is specified as SCRNSAVE.EXE and the timeout is set to minimum. . BEADMIN.EXE now waits on the event. After some time, the screen saver is triggered. This results in Winlogon.Exe spawning SCRNSAVE.EXE. Since the CreateProcess call returns junk handle to Winlogon.Exe, the setting of primary token fails. Hence the SCRNSAVE.EXE application (NTVDM.EXE) runs in System Context. This SCRNSAVE.EXE again spawns BEADMIN.EXE application. Now this second copy of BEADMIN.EXE inherits the security context of NTVDM which is System Context. This application adds the logged in user to admin group and signals the event on which first instance of BEADMIN.EXE is waiting. In response to this the first copy of BEADMIN.EXE resets back the Screen Saver settings and quits. The logged in user name is passed between the first and second copy of BEADMIN.EXE using shared section. Comments: Although this program does not run on versions of Windows NT 4.0 after Service pack 1, the vulnerability exists in these versions as well. i.e in these versions also Winlogon.exe fails to perform the validation. but the condition required for simulation does not happen. i.e In these versions, winlogon.exe gets the proper handle to the process. Since the vulnerability is once again reproducible in the beta versions of NT 5.0, it is clear that it needs to be fixed. [1]Download Demo for Screen Saver vulnerability Blueline.jpg (398 bytes) Copyright© 1999, Cybermedia Software Private Limited. All trademarks are property of their respective holders. References 1. http://www.cybermedia.co.in/Free%20Downloads/ScrnSave.zip
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:24 PDT