Microsoft debugger flaw yields system keys

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-920940.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
May 22, 2002, 5:25 PM PT

Microsoft warned Windows NT and 2000 users on Wednesday of a new flaw
in its debugger tools that could let attackers give themselves
complete control of a system once they've gained basic access to that
system.

The vulnerability involves a flaw in the debugger's authorization
feature. The flaw lets any user run any program on the system, with
the highest privileges.

The hole could be used in conjunction with other Windows
vulnerabilities that allow a remote attacker to run as a local user,
said Marc Maiffret, chief hacking officer with network-protection
company eEye Digital Security.

"By itself, I would say it's not that dangerous, but coupled with
other vulnerabilities, it's nasty," Maiffret said. "It makes threats
like Nimda possible."

The Nimda worm used a similar double whammy to gain base-level access
to a system and then elevate its privileges to take control of the
infected computer.

Microsoft gave the vulnerability a "critical" rating for client
systems but would not estimate what portion of Windows NT 4.0 and
Windows 2000 computers might be vulnerable to the new flaw.

"Being able to log on to the computer in the first place, and being
able to run code (once logged on), are the two limiting factors for
this flaw," said Christopher Budd, security program manager for
Microsoft's security response center.

For example, a guest account could be co-opted by an attacker and used
to exploit the flaw to run code only if the system's administrator
allowed guests access to the console and let them introduce code to
the machine, Budd said.

Microsoft has posted an advisory and a patch for the problem.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.