DOCUMENT:Q190288
TITLE :SecHole Lets Non-administrative Users Gain Debug Level Access
PRODUCT :Windows NT
PROD/VER:3.51 4.0
OPER/SYS:WINDOWS NT
KEYWORD :kbbug3.51 kbbug4.00 kbfix4.00
--------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Server versions 3.51 and 4.0
- Microsoft Windows NT Workstation versions 3.51 and 4.0
- Microsoft Windows NT Server, Enterprise Edition version 4.0
--------------------------------------------------------------------------
SYMPTOMS
========
A utility, Sechole.exe, is being circulated on the Internet that performs a
very sophisticated set of steps that allows a non-administrative user to
gain debug-level access on a system process. Using this utility, the non-
administrative user is able to run some code in the system security context
and thereby grant himself or herself local administrative privileges on the
system.
CAUSE
=====
Sechole.exe locates the memory address of a particular API function
(OpenProcess) and modifies the instructions at that address in a running
image of the exploit program on the local system. Sechole.exe requests
debug rights that gives it elevated privileges. The request is successful
because the access check for this right is expected to be done in the API
that was successfully modified by the exploit program. Sechole.exe can now
add the user who invoked Sechole.exe to the local Administrators group.
RESOLUTION
==========
Windows NT 4.0
--------------
Microsoft has confirmed this problem could result in some degree of
security vulnerability in Windows NT version 4.0. A fully supported fix is
now available, but it has not been fully regression tested and should only
be applied to systems determined to be at risk of attack. Please evaluate
your system's physical accessibility, network and Internet connectivity,
and other factors to determine the degree of risk to your system. If your
system is sufficiently at risk, Microsoft recommends you download the fix
as described below and apply this fix. If you are not severely impacted by
this specific problem, Microsoft recommends that you wait for the next
Windows NT service pack that contains this fix.
For a complete list of Microsoft Technical Support phone numbers and
information on support costs, please go to the following address on the
World Wide Web:
http://support.microsoft.com/support/supportnet/default.asp
This fix should have the following file attributes:
Date Time Size File Name Platform
------------------------------------------------------------
07/27/98 06:48p 29,456 Csrsrv.dll x86
07/27/98 06:52p 7,440 Csrss.exe x86
07/27/98 06:46p 49,424 Csrsrv.dll Alpha
07/27/98 06:46p 12,048 Csrss.exe Alpha
This hotfix ensures that the access check to grant any rights is done by
the server and not the client. This fix has been posted to the following
Internet location as Privfixi.exe (x86) and Privfixa.exe (Alpha):
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP3/priv-fix/
NOTE: The above link is one path; it has been wrapped for readability.
NOTE: If you contact Microsoft to obtain this fix, a fee may be charged.
This fee is refundable if it is determined that you only require the fix
you requested. However, this fee is non-refundable if you request
additional technical support, if your no-charge technical support period
has expired, or if you are not eligible for standard no-charge technical
support. For more information about eligibility for no-charge technical
support, see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q154871
TITLE: Determining If Your Product Is Eligible for No-Charge
Technical Support
Windows NT 3.51
---------------
Microsoft has confirmed this problem could result in some degree of
security vulnerability in Windows NT version 3.51. A fully supported fix is
now available, but it has not been fully regression tested and should only
be applied to systems determined to be at risk of attack. Please evaluate
your system's physical accessibility, network and Internet connectivity,
and other factors to determine the degree of risk to your system. If your
system is sufficiently at risk, Microsoft recommends you download the fix
as described below and apply this fix.
For a complete list of Microsoft Technical Support phone numbers and
information on support costs, please go to the following address on the
World Wide Web:
http://support.microsoft.com/support/supportnet/default.asp
This fix should have the following file attributes:
Date Time Size File Name Platform
------------------------------------------------------------
07/31/98 02:47p 31,184 Csrsrv.dll x86
07/31/98 02:48p 4,400 Csrss.exe x86
07/31/98 05:47p 48,400 Csrsrv.dll Alpha
07/31/98 05:48p 5,904 Csrss.exe Alpha
This hotfix ensures that the access check to grant any rights is done by
the server and not the client. This fix has been posted to the following
Internet location as Privfixi.exe (x86) and Privfixa.exe (Alpha):
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/
hotfixes-postSP5/priv-fix/
NOTE: The above link is one path; it has been wrapped for readability.
NOTE: If you contact Microsoft to obtain this fix, a fee may be charged.
This fee is refundable if it is determined that you only require the fix
you requested. However, this fee is non-refundable if you request
additional technical support, if your no-charge technical support period
has expired, or if you are not eligible for standard no-charge technical
support. For more information about eligibility for no-charge technical
support, see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q154871
TITLE: Determining If Your Product Is Eligible for No-Charge
Technical Support
MORE INFORMATION
================
This exploit can potentially allow a non-administrative user to gain local
administrative access to the system and thereby elevate his or her
privileges on the system. To perform this attack, the user has to have a
valid local account on the system and has to have physical access to the
computer to log on locally to the system.
Sensitive systems, such as the Windows NT domain controllers where non-
administrative users do not have any local log on rights by default, are
not susceptible to this threat. The attack cannot be used over the network
to get domain administrative privileges remotely.
For more information, please see the following Microsoft Security Bulletin
at:
http://www.microsoft.com/security/bulletins/ms98-009.htm
For additional security-related information about Microsoft products,
please go to:
http://www.microsoft.com/security/
Additional query words: 4.00 3.51 Windows NT Privilege Elevation attack
getadmin
============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.