Re: Peculiar login troubles.

From: S.Leyers (s.leyers@subdimension.com)
Date: 04/15/02


From: "S.Leyers" <s.leyers@subdimension.com>
To: <focus-ms@securityfocus.com>
Date: Mon, 15 Apr 2002 10:16:17 +0200

There is a fix for this though i didn't try it ... so you're on your own fo
that one :)
Note that the author says "Works on: Any MS Windows NT 4.0, Windows 2000
(SPs before Mar-12-2002)"
So might be that you've missed a fix

Hope this help.

1) Description of Debploit

  DebPloit allows Everyone to get handle to Any process or thread.
  Handles have enough access to promote everyone to system/admin (in
  the case Target is running under LocalSystem, Administrator account).

  Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
            Former NTs weren't tested.

  Discovered: Mar-09-2002.
  Author: Radim "EliCZ" Picha. Bugs@EliCZ.cjb.net.
http://www.anticracking.sk/EliCZ.

  Details: Exploit\DebPloit.h.

  Principle: Ask debugging subsystem (lives in smss.exe) to create
(duplicate)
             handle(s) to Target for you:
             1. Become dbgss client (DbgUiConnectToDbg).
             2. Connect to DbgSsApiPort LPC port (ZwConnectPort).
                Everyone has access to this port.
             3. Ask dbgss to handle CreateProcess SsApi with client id
                (or pid or tid only) of Target (ZwRequestPort).
             4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
                (WaitForDebugEvent). Message contains duplicated handle(s).
             5. When debugger's thread terminates (e.g. on logoff), Target
process
                or thread is terminated too (like it was regularly
debugged).

  How MS will solve this problem:
             *) Impersonate requesting thread (or client of port); try to
open Target
                pid or tid; revert to self. If open failed, refuse
request/debugging/
                duplication (csrss does it this way).
             *) Put restrictions on DbgSsApiPort port : don't use WORLD SID,
..
             [*) move dbgss to kernel like in Windows XP ;)]
             I will tell you which solution MS used after the next hotfix or
SP will
             be out.

  How administrators can solve this problem:
             *) Modify smss.exe file (one-byte change). See HotFix
directory.
             *) Hook NtConnectPort and refuse non-system/admin connections
to DbgSsApiPort.
             *) Modify security descriptor of the port object in kernel
memory, ...

  Notes: It's interesting for how long (~6 years) was this "possibility"
available.
             The "beauty" of this "exploit" is that it is supported by OS.
No overflows,
             no buggy drivers, no invalid pointers, no syscalls, no
patching.
NT3.51 - NT4SP3: ability to open Target is tested in
DebugActiveProcess only -> mistake. Hotfix was available
after 2 months.

NT4SP4 - W2KSP2: ability to open Target is tested in
CsrDebugProcess - but hey, it is not csrss who does the
dbgss job! It is smss:dbgss who gives you the handles. Debugging subsystem
and DBGSS are exact terms; smss can even load your (debugging) subsystem.
csrss only
assigns a debugging port to Win32 process - so process
is debugged regularly, debugger must be in debug loop,
intercepts dll load, output debug string etc. By using
DebPloit, Target is NOT debugged (although smss ensures
Target is terminated when "debugger" is terminated).

Result: Ability to open Target should be tested in smss (only). DebPloit is
present in NT 3.51 too - it is more
than 6 years, isn't it?

Next thing: It's NOT about LPC ports. Named pipes could be
used for communication with dbgss as well.

Last thing: Make tour through LPC ports or named pipes ( or some mutants).
Maybe you'll be able to send some nice commands to LocalSystem processes.

2) Fix for Debploit

0) Disasm %systemroot%\system32\smss.exe file:
   dumpbin smss.exe -disasm > before.txt
1) Edit %systemroot%\system32\smss.exe file.
2) Find offset of ansi string "\DbgSsApiPort".
3) Find reference to (find the offset) this string in code.
4) "Below" this reference but "above" call to NtCreatePort
   is filled OBJECT_ATTRIBUTES structure.
5) Put NULL to OBJECT_ATTRIBUTES.SecurityDescriptor
   by using the register that contains 0 (and with which are
   initialized other fields: RootDirectory, Attributes and
   SecurityQualityOfService. This is one-byte change.
6) Correct PE checksum - optional.
7) After rebooting only system and administrators can connect
   to \DbgSsApiPort LPC port.

----- Original Message -----
From: "CHRIS GRABENSTEIN" <LFGRABC@LF.VCCS.EDU>
To: "Josh Arieli" <JArieli@maf.org>; <focus-ms@securityfocus.com>
Sent: Friday, April 12, 2002 8:32 PM
Subject: RE: Peculiar login troubles.

I still haven't found a patch from MS to fix it. I've got all the updates
suggested in Windows Update and it still works. (Win2k SP2) On one hand I'm
glad it hasn't received more publicity than it has (College environment,
students have too much time on their hands), but on the other it won't get
fixed quickly if there's no pressure.

|-----Original Message-----
|From: Josh Arieli [mailto:JArieli@maf.org]
|Sent: Friday, April 12, 2002 2:28 PM
|To: CHRIS GRABENSTEIN; focus-ms@securityfocus.com
|Subject: RE: Peculiar login troubles.
|
|
|By the way, What MS security patch fixes the debploit issue?
|
|Josh



Relevant Pages

  • Re: Function Points
    ... apparent and so no problem at all to notice and fix. ... As I remember, it wasn't so immediately apparent what the problem was, ... Of course fancy debugging tools would have made it ... single line to check for problems the type checker would have caught ...
    (comp.lang.forth)
  • Re: misc/179033: [dc] dc ethernet driver seems to have issues with some multiport card and mother bo
    ... I did have to fix a bug though, ... I will go ahead and commit a slightly cleaned up version (with less debugging) ... without requiring a verbose boot. ... It would also be good to capture devinfo -u output before ...
    (freebsd-net)
  • Re: SolidWorks Add-in DLL creation via Visual Basic
    ... no more sophisticated way than debugging. ... breakpoint, and after that you can run the code row by row by hitting F8. ... Select View -> Locals to see the current values of your local variables. ... to find the row which causes an error, and then fix the code. ...
    (comp.cad.solidworks)
  • Re: Programmer,coder or debuger ?
    ... other peoples code. ... are often not looking to reinvent the wheel, but to fix what is broken. ... consider that as the best long-term solution. ... they're not very good at debugging. ...
    (microsoft.public.dotnet.languages.vc)