Exploiting DCOM to gain Administrative rights on Windows NT 4

[mnemonix () GLOBALNET CO UK (Mnemonix)]

By using a combination of problems it is a relatively easy matter for a
local user to gain administrative rights on a Windows NT 4 Server or
Workstation,
though this situation is easily rectifiable.

1) The default configuration permissions on Windows NT allow the Interactive
User,
that is the user currently logged on, to make modifications to the way a
DCOM
server should be run. Basically this means they can modify the subkeys under
the HKCR\AppID registry key where information pertaining to the way these
servers
should be run is stored. Choosing an example that'll be on the majority of
machines
consider Wordpad. Wordpad is a registered DCOM server. By navigating to the

HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

registry key and adding a new value, "LocalService", and supplying the name
of a system
service a normal user will be able to start (a service) one of their
choosing.

2) After an install of certain software by an administrator new system
services can
be registered, but not necessarily started automatically. Added to this the
NTFS rights
on the service's image file may be lax. Consider an install of Internet
Explorer 5.
A system service, the System Event Notification service or SENS, is
registered under
the HKLM\CurrentControlSet\Services registry key but is not started. The
default NTFS
rights allow Everybody to overwrite the file.

Overwriting a service's image file with an "exploit" and getting it to run
as system is hardly brain
surgery, in so far as using it in a way to leverage more access to a system
is concerned
anyway. The problem lies in trying to get the service to run - a normal user
just can't
open the Services Control Panel applet and start a service.

Enter DCOM - stage right. Using a simple VBScript in an HTML document, such
as

<SCRIPT LANGUAGE="VBScript">
CreateObject("Wordpad.Document.1")
</SCRIPT>

an opening it will cause the browser request of the COM Service Control
Manager (RPCSS.EXE) that it start
the server so it can create an instance of the wordpad.document.1 class.
RPCSS looks at the

HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

key and decides how to start it. Going back to stage 1) above let's assume
we supplied "SENS" as the data
for the LocalService we added. RPCSS will go ahead and start the SENS
service because the default launch
permissions allow the Interactive User to do so.

All that this takes is for one of the HKCR\AppID registry key to have the
default permissions and for
a normal user to be able to overwrite one .exe or .dll that a non-started
system service uses for an
NT system to be vulnerable.

Needless to say tightening the permissions of the relevant keys and files
will resolve this problem.

NB ~ Windows 2000 will allow Power Users, Server Operators etc to gain Admin
rights using similar methods.

Cheers,
David Litchfield
http://www.arca.com
http://www.infowar.co.uk/mnemonix