The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Local promotion in NT4's NTLM Security Support Provider


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 7 Feb 2001 18:41:31 -0500
From: BindView Security Advisory <[email protected]>
To: [email protected]
Subject: Local promotion in NT4's NTLM Security Support Provider

BindView Security Advisory
--------

Local promotion vulnerability in NT4's NTLM Security Support Provider
Issue Date: February 7, 2001
Contact:  [email protected]

Topic:
Local promotion vulnerability in NT4's NTLM Security Support Provider

Overview:

Due to a flaw in the NTLM Security Support Provider's handling of
client requests, it is possible for local users to send requests to
the privileged server and make the server execute arbitrary code of
the user's choosing.

Affected Systems:
Windows NT 4.0 up to and including SP6a
Windows 2000 is _not_ affected

Impact:
All Windows NT 4.0 machines are subject to compromise by any user who
can log in locally and run arbitrary programs.  This could possibly
lead to Domain Admin access, if Domain Admin credentials are on the
machine.  In the case of Terminal Server, it should also be possible
to use the credentials of other users on the compromised machine to
take actions across the network as those other users.

Details:

The NTLM Security Support Provider (NTLMSSP) service is found in
ntlmssps.dll and is hosted by services.exe.  It handles most of the
cryptographic calculations behind the NTLM protocol for clients.  It
listens for client connections on the LPC port at
\NtLmSecuritySupportProviderPort.  Once a client connects, it sends
requests to the NTLMSSP to handle the various steps in the NTLM
protocol.  The client indicates which function it wants done by
putting the proper function number in the first 32bit word of its LPC
request to the NTLMSSP.  The NTLMSSP then uses this number to index a
call table and calls the associated function.  The NTLMSSP _does_
perform a check on the function number to verify it's legal, but it
does this check incorrectly, treating the index as signed instead of
unsigned, so the check can be bypassed simply by making the number
negative.

So, the client can use more or less any index it wants to, but what
can it use to jump somewhere useful?  Well, it happens that the
NtConnectPort api which is used to connect to
\NtLmSecuritySupportProviderPort allows the client to map a shared
memory section into the server's address space, and is even kind
enough to tell the client what address it was mapped at.  The client
can then calculate the proper index to call through a pointer in the
first 32bits of that section, and put a pointer there to the rest of
the section.  He can then fill that with whatever code he wants.  When
he makes the proper request to the NTLMSSP, it will then call through
to his code, and execute it as SYSTEM.


Workarounds:
None known.

Recommendations:

Install the hotfix from Microsoft, when available.

Limit local logon privileges, if possible.


References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-008.asp

Microsoft's FAQ:
http://www.microsoft.com/technet/security/bulletin/fq01-008.asp

Microsoft's Hotfix:
NT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=280119
(should be available shortly)

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру