mailing list archives
Local Security Vulnerability in Windows NT and Windows 2000
From: "Ashot Oganesyan K." <ashot () protect-me com>
Date: Wed, 27 Mar 2002 13:01:58 +0300
* LOCAL SECURITY VULNERABILITY IN WINDOWS NT AND WINDOWS 2000
Radim "EliCZ" Picha (Bugs () EliCZ cjb net) discovered a vulnerability in
Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit
that shows the weakness of a local Windows NT/2000 security and totally
compromises entire security subsystem.
DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user
with ANY privileges (even Guest and Restricted user) to execute processes in
the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can
became an administrator and do everything he/she wants.
Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to
Target (any process running on the local computer):
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port
(ZwConnectPort). Everyone can access this port.
3. Ask dbgss to handle CreateProcess SsApi with Target's client id
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
(WaitForDebugEvent). Message contains a duplicated handle.
5. Impersonate your security context using a duplicated handle.
6. Execute any code (e.g. run an external program) in the security context
Download DebPloit with a source code from
To test your system for this vulnerability:
1. Download DebPloit.zip and unzip it to the directory on your hard drive.
2. Logoff and login again using Guest (or any other non-administrative
3. Run ERunAsX.exe from the command line and specify a program you wish to
execute under the SYSTEM account (e.g. "ERunAsX.exe cmd").
4. Your program now runs under the SYSTEM account and you can do everything
(e.g. create new user with an administrative privileges) on the local
To close this hole and protect your computers and network against attacks
from the inside, you can use an unofficial hotfix released by SmartLine,
DebPloitFix is a hotfix that closes the security hole using by the DebPloit
exploit. DebPloitFix is implemented as a kernel mode driver that can be run
dinamically (no need to restart your system). DebPloitFix assigns the new
security descriptor to the DbgSsApiPort LPC port so only the local system
(SYSTEM user) will be able to access this port.
Download DebPloitFix with a source code from
For more information, please visit http://www.ntutility.com/freeware.html
- Local Security Vulnerability in Windows NT and Windows 2000 Ashot Oganesyan K. (Mar 29)