From advisory+ntlmssp@BOS.BINDVIEW.COM Thu Feb 8 19:48:30 2001 From: BindView Security Advisory To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 7 Feb 2001 18:41:31 -0500 Subject: [BUGTRAQ] Local promotion in NT4's NTLM Security Support Provider BindView Security Advisory -------- Local promotion vulnerability in NT4's NTLM Security Support Provider Issue Date: February 7, 2001 Contact: tsabin@razor.bindview.com Topic: Local promotion vulnerability in NT4's NTLM Security Support Provider Overview: Due to a flaw in the NTLM Security Support Provider's handling of client requests, it is possible for local users to send requests to the privileged server and make the server execute arbitrary code of the user's choosing. Affected Systems: Windows NT 4.0 up to and including SP6a Windows 2000 is _not_ affected Impact: All Windows NT 4.0 machines are subject to compromise by any user who can log in locally and run arbitrary programs. This could possibly lead to Domain Admin access, if Domain Admin credentials are on the machine. In the case of Terminal Server, it should also be possible to use the credentials of other users on the compromised machine to take actions across the network as those other users. Details: The NTLM Security Support Provider (NTLMSSP) service is found in ntlmssps.dll and is hosted by services.exe. It handles most of the cryptographic calculations behind the NTLM protocol for clients. It listens for client connections on the LPC port at \NtLmSecuritySupportProviderPort. Once a client connects, it sends requests to the NTLMSSP to handle the various steps in the NTLM protocol. The client indicates which function it wants done by putting the proper function number in the first 32bit word of its LPC request to the NTLMSSP. The NTLMSSP then uses this number to index a call table and calls the associated function. The NTLMSSP _does_ perform a check on the function number to verify it's legal, but it does this check incorrectly, treating the index as signed instead of unsigned, so the check can be bypassed simply by making the number negative. So, the client can use more or less any index it wants to, but what can it use to jump somewhere useful? Well, it happens that the NtConnectPort api which is used to connect to \NtLmSecuritySupportProviderPort allows the client to map a shared memory section into the server's address space, and is even kind enough to tell the client what address it was mapped at. The client can then calculate the proper index to call through a pointer in the first 32bits of that section, and put a pointer there to the rest of the section. He can then fill that with whatever code he wants. When he makes the proper request to the NTLMSSP, it will then call through to his code, and execute it as SYSTEM. Workarounds: None known. Recommendations: Install the hotfix from Microsoft, when available. Limit local logon privileges, if possible. References: Microsoft's security bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-008.asp Microsoft's FAQ: http://www.microsoft.com/technet/security/bulletin/fq01-008.asp Microsoft's Hotfix: NT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804 Microsoft's Knowledge Base article: http://www.microsoft.com/technet/support/kb.asp?ID=280119 (should be available shortly)