DOCUMENT:Q190288 TITLE :SecHole Lets Non-administrative Users Gain Debug Level Access PRODUCT :Windows NT PROD/VER:3.51 4.0 OPER/SYS:WINDOWS NT KEYWORD :kbbug3.51 kbbug4.00 kbfix4.00 -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 3.51 and 4.0 - Microsoft Windows NT Workstation versions 3.51 and 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 -------------------------------------------------------------------------- SYMPTOMS ======== A utility, Sechole.exe, is being circulated on the Internet that performs a very sophisticated set of steps that allows a non-administrative user to gain debug-level access on a system process. Using this utility, the non- administrative user is able to run some code in the system security context and thereby grant himself or herself local administrative privileges on the system. CAUSE ===== Sechole.exe locates the memory address of a particular API function (OpenProcess) and modifies the instructions at that address in a running image of the exploit program on the local system. Sechole.exe requests debug rights that gives it elevated privileges. The request is successful because the access check for this right is expected to be done in the API that was successfully modified by the exploit program. Sechole.exe can now add the user who invoked Sechole.exe to the local Administrators group. RESOLUTION ========== Windows NT 4.0 -------------- To resolve this problem, contact Microsoft Technical Support to obtain the following fix, or wait for the next Windows NT service pack. This fix should have the following time stamp: 07/28/98 01:55p 29,456 Csrsrv.dll (Intel) 07/28/98 01:55p 7,440 Csrss.exe (Intel) 07/28/98 01:55p 49,424 Csrsrv.dll (Alpha) 07/28/98 01:55p 12,048 Csrss.exe (Alpha) This hotfix has been posted to the following Internet location: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/chs/NT40/hotfixes-postSP3/priv-fix/ This fix ensures that the access check to grant any rights is done by the server and not the client. Windows NT 3.51 --------------- A hotfix for Windows NT 3.51 is not available at this time. MORE INFORMATION ================ This exploit can potentially allow a non-administrative user to gain local administrative access to the system and thereby elevate his or her privileges on the system. To perform this attack, the user has to have a valid local account on the system and has to have physical access to the computer to log on locally to the system. Sensitive systems, such as the Windows NT domain controllers where non- administrative users do not have any local log on rights by default, are not susceptible to this threat. The attack cannot be used over the network to get domain administrative privileges remotely. For more information, please see the following Microsoft Security Bulletin at: http://www.microsoft.com/security/bulletins/ms98-009.htm For additional security-related information about Microsoft products, please go to: http://www.microsoft.com/security/ STATUS ====== Windows NT 4.0 -------------- Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0. A fully supported fix is now available, but it has not been fully regression tested and should only be applied to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix. Otherwise, wait for the next Windows NT service pack, which will contain this fix. Please contact Microsoft Technical Support for more information. Windows NT 3.51 --------------- Microsoft has confirmed this to be a problem in Microsoft Windows NT version 3.51. Additional query words: getadmin Windows NT Privilege Elevation attack ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.