|
Bugtraq
mailing list archives
Windows NT Screen Saver Vulnerability
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Tue, 9 Mar 1999 12:57:42 -0800
Cybermedia Software has found the following vulnerability:
< http://www.cybermedia.co.in/NT%20Security/SS%20vulnerability.htm >
Screen Saver vulnerability
Description:
The Screen Saver is started by Winlogon.Exe whenever the machine is
idle for the specified amount of time. Screen Saver setting is
a per user property and every user has right to set his own
screen saver.
The screen saver is started by Winlogon.Exe, initially in a suspended
mode using CreateProcess API call. Once Winlogon.Exe gets the
process handle to screen saver, it changes the primary security
token of the screen saver to that of the logged in user and
then resumes the screen saver process. This is done for
security reasons. If Winlogon were to NOT do this, then screen
saver would run with the security context of Winlogon.Exe
(which runs in system context).
Problem:
The Winlogon.Exe DOES NOT check whether the changing of Primary token
is successful. Hence if setting of primary token fails due to
some reason, the screen saver binary will run in system context
and be able to do whatever it pleases (e.g adding the logged in
user to admin group).
Simulation:
On Windows NT 3.51 and all its service packs, Windows NT 4.0 with
Service Pack 1, and NT 5.0 beta1 and beta2, when an MS-DOS
application is spawned, the returned process handle is junk
(rather it is a special event handle).
The simulation consists of one 32-bit application say BEADMIN.EXE and
one MS-DOS based application, say SCRNSAVE.EXE. The BEADMIN.EXE when
started does the following
* Creates one event in `not-signal'ed state
* Sets up the screen saver. The screen saver executable is specified
as SCRNSAVE.EXE and the timeout is set to minimum. . BEADMIN.EXE
now waits on the event.
After some time, the screen saver is triggered. This results in
Winlogon.Exe spawning SCRNSAVE.EXE. Since the CreateProcess call
returns junk handle to Winlogon.Exe, the setting of primary token
fails. Hence the SCRNSAVE.EXE application (NTVDM.EXE) runs in System
Context. This SCRNSAVE.EXE again spawns BEADMIN.EXE application. Now
this second copy of BEADMIN.EXE inherits the security context of NTVDM
which is System Context. This application adds the logged in user to
admin group and signals the event on which first instance of
BEADMIN.EXE is waiting. In response to this the first copy of
BEADMIN.EXE resets back the Screen Saver settings and quits.
The logged in user name is passed between the first and second copy of
BEADMIN.EXE using shared section.
Comments:
Although this program does not run on versions of Windows NT 4.0 after
Service pack 1, the vulnerability exists in these versions as
well. i.e in these versions also Winlogon.exe fails to perform
the validation. but the condition required for simulation does
not happen. i.e In these versions, winlogon.exe gets the proper
handle to the process.
Since the vulnerability is once again reproducible in the beta
versions of NT 5.0, it is clear that it needs to be fixed.
[1]Download Demo for Screen Saver vulnerability
Blueline.jpg (398 bytes)
Copyright© 1999, Cybermedia Software Private Limited. All trademarks
are property of their respective holders.
References
1. http://www.cybermedia.co.in/Free%20Downloads/ScrnSave.zip
 By Date 
By Thread
Current thread:
Re: More Internet Explorer zone confusion Tilman Schmidt (Mar 08)
Re: More Internet Explorer zone confusion Paul Leach (Mar 08)
|
Intro
