A serious hole in Windows NT and Windows 2000 allows any user (even “guest”) to gain complete control of the machine. This bug — called a “privilege escalation” vulnerability — is particularly worrisome, because it does more than open the system to attacks from its own users. It also amplifies the dangers associated with other security holes that Microsoft has dismissed as not being serious. Why? Because an intruder who gains entry to a system as an unprivileged user can obtain administrator privileges and take over.
The exploit doesnt use esoteric techniques such as buffer overflows; in fact, it uses only the operating systems standard, documented debugging interface. This interface allows one program (a debugger) to gain control of another (a program under test) so that the behavior of the latter can be observed and/or altered. Alas, NT and Win2K allow any program to control any other; an unprivileged user can thus gain control of a privileged program and bend it to his or her will.
Safeguards against such exploits have long been present in UNIX and were mentioned in Microsofts recent DRM patent. (Ironically, Microsoft did not implement the commonsense security mechanisms it “rediscovered” and managed to patent despite long standing prior art.)
The discoverers public announcement of the bug (first link below) contains not only a complete description of the problem but a sample exploit. One would think that this would have put Microsoft on “red alert,” but — amazingly — the software giant has released neither an advisory nor a patch. Fortunately, third parties have already created fixes that administrators can apply to their systems. (See the second link below for details.)
FOR FURTHER READING:
- Explanation of the hole, with sample code
- DebPloitFix – Free fix with source code (ntcompatible.com)
Note: We are — as far as we know — the first media outlet to cover this bug, but details and exploits have been circulating in hacker circles for at least two weeks. So, be sure to patch your NT and Win2K systems ASAP.