Warning: Any User Can Root Win NT, 2000
New hole in Windows NT and Windows 2000 opens the door for any user (even "guest") to gain complete control of your machine. This bug--called a "privilege escalation" vulnerability--allows an unprivileged user to obtain adminiA serious hole in Windows NT and Windows 2000 allows any user (even "guest") to gain complete control of the machine. This bug -- called a "privilege escalation" vulnerability -- is particularly worrisome, because it does more than open the system to attacks from its own users. It also amplifies the dangers associated with other security holes that Microsoft has dismissed as not being serious. Why? Because an intruder who gains entry to a system as an unprivileged user can obtain administrator privileges and take over.
Safeguards against such exploits have long been present in UNIX and were mentioned in Microsofts recent DRM patent. (Ironically, Microsoft did not implement the commonsense security mechanisms it "rediscovered" and managed to patent despite long standing prior art.) The discoverers public announcement of the bug (first link below) contains not only a complete description of the problem but a sample exploit. One would think that this would have put Microsoft on "red alert," but -- amazingly -- the software giant has released neither an advisory nor a patch. Fortunately, third parties have already created fixes that administrators can apply to their systems. (See the second link below for details.) FOR FURTHER READING:
- Explanation of the hole, with sample code
- DebPloitFix - Free fix with source code (ntcompatible.com)
Note: We are -- as far as we know -- the first media outlet to cover this bug, but details and exploits have been circulating in hacker circles for at least two weeks. So, be sure to patch your NT and Win2K systems ASAP.