Re: Peculiar login troubles.
From: S.Leyers (s.leyers@subdimension.com)Date: 04/15/02
- Previous message: loloinfo@free.fr: "RE: VPN / IPSEC"
- In reply to: CHRIS GRABENSTEIN: "RE: Peculiar login troubles."
- Next in thread: Josh Arieli: "RE: Peculiar login troubles."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "S.Leyers" <s.leyers@subdimension.com> To: <focus-ms@securityfocus.com> Date: Mon, 15 Apr 2002 10:16:17 +0200
There is a fix for this though i didn't try it ... so you're on your own fo
that one :)
Note that the author says "Works on: Any MS Windows NT 4.0, Windows 2000
(SPs before Mar-12-2002)"
So might be that you've missed a fix
Hope this help.
1) Description of Debploit
DebPloit allows Everyone to get handle to Any process or thread.
Handles have enough access to promote everyone to system/admin (in
the case Target is running under LocalSystem, Administrator account).
Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
Former NTs weren't tested.
Discovered: Mar-09-2002.
Author: Radim "EliCZ" Picha. Bugs@EliCZ.cjb.net.
http://www.anticracking.sk/EliCZ.
Details: Exploit\DebPloit.h.
Principle: Ask debugging subsystem (lives in smss.exe) to create
(duplicate)
handle(s) to Target for you:
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to DbgSsApiPort LPC port (ZwConnectPort).
Everyone has access to this port.
3. Ask dbgss to handle CreateProcess SsApi with client id
(or pid or tid only) of Target (ZwRequestPort).
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
(WaitForDebugEvent). Message contains duplicated handle(s).
5. When debugger's thread terminates (e.g. on logoff), Target
process
or thread is terminated too (like it was regularly
debugged).
How MS will solve this problem:
*) Impersonate requesting thread (or client of port); try to
open Target
pid or tid; revert to self. If open failed, refuse
request/debugging/
duplication (csrss does it this way).
*) Put restrictions on DbgSsApiPort port : don't use WORLD SID,
..
[*) move dbgss to kernel like in Windows XP ;)]
I will tell you which solution MS used after the next hotfix or
SP will
be out.
How administrators can solve this problem:
*) Modify smss.exe file (one-byte change). See HotFix
directory.
*) Hook NtConnectPort and refuse non-system/admin connections
to DbgSsApiPort.
*) Modify security descriptor of the port object in kernel
memory, ...
Notes: It's interesting for how long (~6 years) was this "possibility"
available.
The "beauty" of this "exploit" is that it is supported by OS.
No overflows,
no buggy drivers, no invalid pointers, no syscalls, no
patching.
NT3.51 - NT4SP3: ability to open Target is tested in
DebugActiveProcess only -> mistake. Hotfix was available
after 2 months.
NT4SP4 - W2KSP2: ability to open Target is tested in
CsrDebugProcess - but hey, it is not csrss who does the
dbgss job! It is smss:dbgss who gives you the handles. Debugging subsystem
and DBGSS are exact terms; smss can even load your (debugging) subsystem.
csrss only
assigns a debugging port to Win32 process - so process
is debugged regularly, debugger must be in debug loop,
intercepts dll load, output debug string etc. By using
DebPloit, Target is NOT debugged (although smss ensures
Target is terminated when "debugger" is terminated).
Result: Ability to open Target should be tested in smss (only). DebPloit is
present in NT 3.51 too - it is more
than 6 years, isn't it?
Next thing: It's NOT about LPC ports. Named pipes could be
used for communication with dbgss as well.
Last thing: Make tour through LPC ports or named pipes ( or some mutants).
Maybe you'll be able to send some nice commands to LocalSystem processes.
2) Fix for Debploit
0) Disasm %systemroot%\system32\smss.exe file:
dumpbin smss.exe -disasm > before.txt
1) Edit %systemroot%\system32\smss.exe file.
2) Find offset of ansi string "\DbgSsApiPort".
3) Find reference to (find the offset) this string in code.
4) "Below" this reference but "above" call to NtCreatePort
is filled OBJECT_ATTRIBUTES structure.
5) Put NULL to OBJECT_ATTRIBUTES.SecurityDescriptor
by using the register that contains 0 (and with which are
initialized other fields: RootDirectory, Attributes and
SecurityQualityOfService. This is one-byte change.
6) Correct PE checksum - optional.
7) After rebooting only system and administrators can connect
to \DbgSsApiPort LPC port.
----- Original Message -----
From: "CHRIS GRABENSTEIN" <LFGRABC@LF.VCCS.EDU>
To: "Josh Arieli" <JArieli@maf.org>; <focus-ms@securityfocus.com>
Sent: Friday, April 12, 2002 8:32 PM
Subject: RE: Peculiar login troubles.
I still haven't found a patch from MS to fix it. I've got all the updates
suggested in Windows Update and it still works. (Win2k SP2) On one hand I'm
glad it hasn't received more publicity than it has (College environment,
students have too much time on their hands), but on the other it won't get
fixed quickly if there's no pressure.
|-----Original Message-----
|From: Josh Arieli [mailto:JArieli@maf.org]
|Sent: Friday, April 12, 2002 2:28 PM
|To: CHRIS GRABENSTEIN; focus-ms@securityfocus.com
|Subject: RE: Peculiar login troubles.
|
|
|By the way, What MS security patch fixes the debploit issue?
|
|Josh
- Previous message: loloinfo@free.fr: "RE: VPN / IPSEC"
- In reply to: CHRIS GRABENSTEIN: "RE: Peculiar login troubles."
- Next in thread: Josh Arieli: "RE: Peculiar login troubles."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
