Date: 05 August 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-98.03 AUSCERT Advisory
Privilege Elevation vulnerability on Microsoft Windows NT
05 August 1998
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that a Privilege Elevation vulnerability
exists in various versions of Microsoft Windows NT.
This vulnerability may allow local users to gain administrative privileges.
Exploit information involving this vulnerability has been made publicly
available.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AusCERT has received information that a Privilege Elevation
vulnerability exists in various versions of Microsoft Windows NT.
This vulnerability if exploited may allow a non-administrative user
to gain local administrative access to the system. To exploit this
vulnerability the attacker requires a valid local account and the
ability to run arbitrary code on the system. Note that while to login
in to the system normally requires console access it may also be
possible if third party remote login software has been installed.
Once administrator privileges are gained this may be leveraged to gain
unauthorised access to other machines on the network.
Exploit information involving this vulnerability has been made publicly
available and, under certain circumstances, it may be used by intruders
to run arbitrary code in the system security context and thereby grant
administrative privileges for themselves.
2. Impact
This vulnerability may allow local users to gain administrative
privileges.
3. Workarounds/Solution
Microsoft has released a Security Bulletin (MS98-009) describing this
vulnerability. This bulletin lists all versions of Microsoft Windows
NT which are known to be affected and includes patch/workaround
information. It is available from:
http://www.microsoft.com/security/bulletins/ms98-009.htm
AUSCERT encourages sites using Windows NT to refer to the Microsoft
suggested workaround and patches to prevent this vulnerability from
being exploited. For more information regarding this problem contact
Microsoft.
- ----------------------------------------------------------------------------
AUSCERT thanks Russ Cooper of NTBugtraq for his assistance in this matter.
- ----------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AUSCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after
hours for emergencies.
Postal: Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNdCAiih9+71yA2DNAQE8XQP9EAG7gTjCxTvDCfon56e4rA4ehojL9iWo
ic9NxV6dwJGK13h5h36ihL53fSPDB7VCLDOMTK51BCVFNTeYrED7ONO3K5sC5gxt
Reu12l0pIaJBWJerW7HSCr7771w7qG/DNYN3t7tU0WjmHn89P4CPV6d0THmZEZQm
yVnaQLuoKKQ=
=2m/3
-----END PGP SIGNATURE-----
|