Belle ! (hole inside + 2k)

Recherche :

Dernière réponse
Sujet : Belle ! (hole inside + 2k)
B-52	Je viens de recevoir cettealerte, je trouves ça pas mal comme trou: March 27, 2002--In this issue: 1. SECURITY RISKS - Local Security Vulnerability in Windows NT and Windows 2000 ***************************************************************** 1. * SECURITY RISKS *** * LOCAL SECURITY VULNERABILITY IN WINDOWS NT AND WINDOWS 2000 Radim "EliCZ" Picha (Bugs@EliCZ.cjb.net) discovered a vulnerability in Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit that shows the weakness of a local Windows NT/2000 security and totally compromises entire security subsystem. DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user with ANY privileges (even Guest and Restricted user) to execute processes in the security context of an administrator or a local system (SYSTEM) account. In other words, any person who have an access to the local computer can became an administrator and do everything he/she wants. Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to Target (any process running on the local computer): 1. Become dbgss client (DbgUiConnectToDbg). 2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port (ZwConnectPort). Everyone can access this port. 3. Ask dbgss to handle CreateProcess SsApi with Target's client id (ZwRequestPort). 4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT (WaitForDebugEvent). Message contains a duplicated handle. 5. Impersonate your security context using a duplicated handle. 6. Execute any code (e.g. run an external program) in the security context of Target. Download DebPloit with a source code from http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip To test your system for this vulnerability: 1. Download DebPloit.zip and unzip it to the directory on your hard drive. 2. Logoff and login again using Guest (or any other non-administrative account) account. 3. Run ERunAsX.exe from the command line and specify a program you wish to execute under the SYSTEM account (e.g. "ERunAsX.exe cmd" ). 4. Your program now runs under the SYSTEM account and you can do everything (e.g. create new user with an administrative privileges) on the local computer. * HOTFIX To close this hole and protect your computers and network against attacks from the inside, you can use an unofficial hotfix released by SmartLine, Inc. DebPloitFix is a hotfix that closes the security hole using by the DebPloit exploit. DebPloitFix is implemented as a kernel mode driver that can be run dinamically (no need to restart your system). DebPloitFix assigns the new security descriptor to the DbgSsApiPort LPC port so only the local system (SYSTEM user) will be able to access this port.

Dernière réponse

Sujet : Belle ! (hole inside + 2k)

B-52

Je viens de recevoir cettealerte, je trouves ça pas mal comme trou:

March 27, 2002--In this issue:

1. SECURITY RISKS

- Local Security Vulnerability in Windows NT and Windows 2000

*******************************************************************

1. ***** SECURITY RISKS *****

* LOCAL SECURITY VULNERABILITY IN WINDOWS NT AND WINDOWS 2000

Radim "EliCZ" Picha (Bugs@EliCZ.cjb.net) discovered a vulnerability in Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit that shows the weakness of a local Windows NT/2000 security and totally compromises entire security subsystem.

DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user with ANY privileges (even Guest and Restricted user) to execute processes in the security context of an administrator or a local system (SYSTEM) account. In other words, any person who have an access to the local computer can became an administrator and do everything he/she wants.

Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to Target (any process running on the local computer):

1. Become dbgss client (DbgUiConnectToDbg).

2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port (ZwConnectPort). Everyone can access this port.

3. Ask dbgss to handle CreateProcess SsApi with Target's client id (ZwRequestPort).

4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT (WaitForDebugEvent). Message contains a duplicated handle.

5. Impersonate your security context using a duplicated handle.

6. Execute any code (e.g. run an external program) in the security context of Target.

Download DebPloit with a source code from http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip

To test your system for this vulnerability:

1. Download DebPloit.zip and unzip it to the directory on your hard drive.

2. Logoff and login again using Guest (or any other non-administrative account) account.

3. Run ERunAsX.exe from the command line and specify a program you wish to execute under the SYSTEM account (e.g. "ERunAsX.exe cmd" ).

4. Your program now runs under the SYSTEM account and you can do everything (e.g. create new user with an administrative privileges) on the local computer.

* HOTFIX

To close this hole and protect your computers and network against attacks from the inside, you can use an unofficial hotfix released by SmartLine, Inc.

DebPloitFix is a hotfix that closes the security hole using by the DebPloit exploit. DebPloitFix is implemented as a kernel mode driver that can be run dinamically (no need to restart your system). DebPloitFix assigns the new security descriptor to the DbgSsApiPort LPC port so only the local system (SYSTEM user) will be able to access this port.