Bugtraq mailing list archives
[ NT SECURITY ALERT ] New Local GetAdmin Exploit
From: mark () NTSHOP NET (MJE)
Date: Mon, 27 Jul 1998 19:34:58 -0600
July 27, 1998, (NTSD) - Three gentlemen from India have been kind enough to reveal to The NT Shop (http://www.ntshop.net or http://www.ntsecurity.net) a serious hole in Windows NT systems (any version of Workstation or Server) that readily grants the user complete membership to the Administrators group. According to the discovers, this exploit works against all versions of WinNT, including WinNT 5.0 betas, and may also be possible against a domain controllers in certain circumstances -- this is yet unconfirmed and un-demonstrated as far as I know. Their sample program, SECHOLE.EXE, only exploits the *LOCAL* user database. THE EXPLOIT, IN A NUTSHELL: by using existing Windows NT services, an application can locate a certain API call in memory, modify the instructions in a running instance, and gain debug-level access to the system, where it then grants the currently logged-in user complete membership to the Administrators group in the local user database. The NT Shop has reported this problem to Microsoft -- we've been in close contact with their security folks since last week, and are told a fix is ready -- I suspect they'll release a bulletin in the next 24 hours. For more information on the problem, as well as a brief interview with the discovers and a working copy of the program demonstrating this serious problem, visit our Web site where you'll find the page link at the top of the list in the left window frame. Mark http://www.ntsecurity.net or http://www.ntshop.net
Current thread:
- Re: Annex DoS, (continued)
- Re: Annex DoS Matt Carter (Jul 26)
- Security warning: Netscape https & proxies Henrik Nordstrom (Jul 26)
- Another NEW mIRC bug and ALL mIRC Exploit patches Derek Reynolds (Jul 24)
- Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
- Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
- Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
- FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
- ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
- [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
- Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
- Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
- Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
- Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)