Windows NT Privilege Elevation Attack

A program called SecHole (Sechole.exe) is available on the Internet that exploits a privilege elevation vulnerability in the Windows NT operating system. The program performs a sophisticated set of steps to allow a non-administrative user who is logged on locally (at the console of a system) to gain debug-level access on a system process.

Issue

This exploit can potentially allow a non-administrative user to gain local administrative access to the system and thereby elevate his or her privileges on the system. In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to logon locally to the system.

Sensitive systems such as the Windows NT Domain Controllers, where non-administrative users do not have any local logon rights by default, are not susceptible to this threat. The attack cannot be used over the network to get domain administrative privileges remotely.

In this attack, a non-administrative user obtains administrative access to the system by virtue of being able to gain debug-level access on a system process.

Specifically, the exploit program does the following:

• Locates the memory address of a particular API function used by the DebugActiveProcess function.
• Modifies the instructions at that address to return success in a failure case.
• Iterates through the processes running as local system, calling DebugActiveProcess on each until a successful attach is performed. The server-side component of DebugActiveProcess does not correctly check for valid access to the target process.
• Creates a thread in the victim process that runs code from an accompanying dynamic-link library (DLL). This thread will add the user running the program to the local administrators group.

Affected Products

• Windows NT Server 3.51, 4.0 & 4.0 TSE
  Windows NT Workstation 3.51 & 4.0

Solution

Microsoft has posted hot fixes to address this problem, although upgrading the current Windows NT service pack is the recommended solution.

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 27, 1998

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<