Windows NT NtOpenProcessToken Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

H-84: Windows NT NtOpenProcessToken Vulnerability

 July 22, 1997 18:00 GMT 
PROBLEM:    A vulnerability exists in a Microsoft Windows NT operating 
            system kernel routine. 
PLATFORM:   Windows NT Workstation and Server 4.0. 
DAMAGE:     Exploit allows local users to gain Administrator privileges. 
SOLUTION:   Apply the Microsoft patch and follow the policy guidelines 
            described below. 

VULNERABILITY  Exploit is widely available, but attack is only successful if 
ASSESSMENT:    executed locally. 


Introduction:

A vulnerability in Microsoft Windows NT 4.0 allows a user to locally execute a 
utility to gain administrator privileges.  The utility is successfully 
executed from most local user accounts, regardless of the permissions.  An 
exception to this is the Guest account.   Because the attacker must have a valid 
account and physical access to the system for this attack to be successful, 
the attacker is most likely to be an "insider".

Problem:

The utility works by adding the user (or attacker) to the Administrators' 
Group.  The Administrators group is usually designed such that its members can 
modify the registry, including adding and deleting users, as well as perform 
other security functions (changing passwords, permissions, etc.).  This group 
and any other group or user who has the "Debug Programs" privilege (used for 
testing and debugging programs) will always be able to successfully execute 
this utility, as well as many other utilities with security risks.

Solution:

In order to mitigate this and similar attacks, CIAC recommends that the 
following four configuration controls be applied:


    

  1. Apply the Microsoft hotfix  located below.  CIAC highly recommends that 
Service Pack 3 is installed first.

Microsoft's hotfix location (read the README.TXT for more information, and 
installation instructions):
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
fixes/usa/nt40/hotfixes-postSP3/getadmin-fix/


  2. Limit debug rights to those trusted users who must conduct testing or 
debugging functions on the system.  In general, very few users need the 
ability to test and debug systems.  Privileges should be granted on an 
individual case by case basis.  If possible, avoid granting entire groups this 
privilege.  Once the Microsoft hotfix described in item 1 above is applied, 
this specific attack will only work if executed from accounts which have 
legitimately been granted the debug right, or are already a member of the 
Administrators' Group. To check or change who has the "Debug Programs" Right:

1.  log in as an administrator(or equivalent privileges)on either Windows NT 
    Workstation or Server (process is similar for both).  
2.  Open "User Manager".
3.  Choose "Policies", then "User Rights".  A graphical user interface box will
    appear.  
4.  Check the "Show Advanced User Rights" box.  ("Debug Programs" is an Advanced
    User Right).
5.  Choose the "Debug Programs" Right, and Add or Remove users/groups as .
    necessary.


  3. Prohibit most users from having physical access to the  NT server 
consoles.  This can be accomplished  by setting the "Log on Locally" right to 
only a few trusted administrators.  In addition, servers should physically 
reside in a location that is secured, and physical access is controlled, such 
as a locked computer room or (well-ventilated) closet.


  4. As with any operating system, limit the number of users granted 
administrator privileges, and limit the number of users who have access to the 
Administrator account.  Make sure the activities of these accounts  
(especially  Registry changes) are audited to provide a traceable record of 
events.  Permissions should be minimally granted, so that users have just 
enough privileges to accomplish their tasks, and are provided limited access, 
especially to system files.



===========================================================================
Acknowledgements:

CIAC would like to thank Karan Khanna and Microsoft for their contributions
in this bulletin.

============================================================================
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]