Security 10748 Published by

Thanks to Ryan for sending me this security alert from WatchGuard:

In a post to NTBugtraq on March 14, Radim EliCZ Picha described a design flaw in the Windows NT and 2000 debugging subsystem that could result in elevated privileges. Picha also included exploit code. Experts at WatchGuard have confirmed that a hacker can use this exploit to elevate any local user, even Guest, to local Administrator. There is no direct impact on WatchGuard products. Administrators using Windows NT and 2000, servers and workstations, should recognize this vulnerability and know how to defend against it. A patch is not yet available.



EXPOSURE:

Windows NT and 2000 include a debugging subsystem. This debugging subsystem is made up of chunks of code (functions) used specifically to help computer engineers observe and correct programming errors.

Picha has discovered a design flaw in Windows NT and 2000's debugging subsystem that could allow any user to elevate their privileges to Administrator. In a nutshell, the debugging functions allow any user to start a new process with the same privileges of another process. A process in simplest terms is any program. Since many of Windows NT and 2000's core processes (like svchost.exe) run with local administrator privileges, a hacker could use the debugging subsystem flaw to start any application with administrator rights.

Although a hacker needs a local account on a Windows machine to exploit this flaw, this vulnerability still is a significant risk. For instance, if you allow Guest access on your Microsoft Terminal Server, a hacker could remotely take over your machine. Also, some Windows administrators do not grant local users administrator rights, in order to prevent them from installing unauthorized software. Exploiting this flaw allows your users to bypass this policy, and would enable them to install a root kit or other hacking tools.

The gravest issue with this advisory is that it distributed functioning exploit code. We have tested this code and found it is extremely easy to elevate a Guest user to an Administrator in Windows 2000 with SP2. Although Picha has contacted Microsoft, he released this exploit before a patch was available. You must assume this exploit is already in the hands of the enemy.

SOLUTION PATH:

Picha claims Microsoft is aware of this vulnerability, but a patch is not yet available. Although Picha suggests workarounds in his
advisory https://www3.watchguard.com/archive/images/DebPloit.txt and Hotfix https://www3.watchguard.com/archive/images/HotFix.txt document, they are very low level, untested changes that require programming know-how. We recommend you avoid these untested solutions.

One way to lower the scope of this vulnerability is to disable any Guest accounts. Doing so does not prevent internal users from exploiting this flaw, but it makes it more difficult for an outside hacker to obtain an easy login to your Windows system. You can also prevent remote exploit of this flaw by denying incoming access to Microsoft Terminal Server (or other remote control software) until a patch is available. This means you can't administrate your Windows machine remotely, but that inconvenience might be worthwhile to avoid being hacked.

Finally, in his advisory, Picha states that Microsoft will make a patch or Hotfix available. If this actually occurs, we'll send you an update to this alert.