Warning: Any User Can Root Win NT, 2000

By Brett Glass  |  Posted 2002-03-29 Print this article Print

New hole in Windows NT and Windows 2000 opens the door for any user (even "guest") to gain complete control of your machine. This bug--called a "privilege escalation" vulnerability--allows an unprivileged user to obtain admini

A serious hole in Windows NT and Windows 2000 allows any user (even "guest") to gain complete control of the machine. This bug -- called a "privilege escalation" vulnerability -- is particularly worrisome, because it does more than open the system to attacks from its own users. It also amplifies the dangers associated with other security holes that Microsoft has dismissed as not being serious. Why? Because an intruder who gains entry to a system as an unprivileged user can obtain administrator privileges and take over.

The exploit doesnt use esoteric techniques such as buffer overflows; in fact, it uses only the operating systems standard, documented debugging interface. This interface allows one program (a debugger) to gain control of another (a program under test) so that the behavior of the latter can be observed and/or altered. Alas, NT and Win2K allow any program to control any other; an unprivileged user can thus gain control of a privileged program and bend it to his or her will.

Safeguards against such exploits have long been present in UNIX and were mentioned in Microsofts recent DRM patent. (Ironically, Microsoft did not implement the commonsense security mechanisms it "rediscovered" and managed to patent despite long standing prior art.) The discoverers public announcement of the bug (first link below) contains not only a complete description of the problem but a sample exploit. One would think that this would have put Microsoft on "red alert," but -- amazingly -- the software giant has released neither an advisory nor a patch. Fortunately, third parties have already created fixes that administrators can apply to their systems. (See the second link below for details.) FOR FURTHER READING:
Note: We are -- as far as we know -- the first media outlet to cover this bug, but details and exploits have been circulating in hacker circles for at least two weeks. So, be sure to patch your NT and Win2K systems ASAP.
Brett Glass has more than 20 years of experience designing, building,writing about, and crash-testing computer hardware and software. (A born'power user,' he often stresses products beyond their limits simply bytrying to use them.) A consultant, author, and programmer based inLaramie, Wyoming, Brett obtained his Bachelor of Science degree inElectrical Engineering from the Case Institute of Technology and his MSEEfrom Stanford. He plans networks, builds and configures servers, outlinestechnical strategies, designs embedded systems, hacks UNIX, and writeshighly optimized assembly language.

During his rather eclectic career, Brett has written portions of the codeand/or documentation for such widely varied products as Borland's Pascal'toolboxes' and compilers, Living Videotext's ThinkTank, Cisco Systemsrouters and terminal servers, Earthstation diskless workstations, andTexas Instruments' TMS380 Token Ring networking chipset. His articleshave appeared in nearly every major computer industry publication.

When he's not writing, consulting, speaking, or cruising the Web insearch of adventure, he may be playing the Ashbory bass, teachingInternet courses for LARIAT (Laramie's community network and Internetusers' group), cooking up a storm, or enjoying 'extreme'-ly spicy ethnicfood.

To mail Brett, visit his Web form.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel