[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WIN :[Fwd: [NTSEC] GetAdmin Hotfix]



This is a multi-part message in MIME format.

--------------415F331662F0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

There's a utility available on the net, that allows anyone with a local
account to get adminstrator priviledge on your NT machine.

This message details a fix.

--------------415F331662F0
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Received: from hydra.acs.uci.edu by nis.acs.uci.edu (8.8.5) id TAA21391; Tue, 8 Jul 1997 19:56:43 -0700 (PDT)
Received: from iss.net (qmailr@phoenix.iss.net [208.21.0.5]) by hydra.acs.uci.edu (8.8.5/8.7.1) with SMTP id TAA22637 for <strombrg@hydra.acs.uci.edu>; Tue, 8 Jul 1997 19:56:39 -0700 (PDT)
Received: (qmail 13927 invoked by alias); 8 Jul 1997 22:18:04 -0000
Delivered-To: nt-out-link@iss.net
Received: (qmail 13922 invoked by alias); 8 Jul 1997 22:18:03 -0000
Delivered-To: nt-out@iss.net
Received: (qmail 13915 invoked by uid 15); 8 Jul 1997 22:18:00 -0000
Received: (qmail 13902 invoked from network); 8 Jul 1997 22:17:55 -0000
Received: from arden.iss.net (root@208.21.0.8)
  by phoenix.iss.net with SMTP; 8 Jul 1997 22:17:55 -0000
Received: from ns1.ntshop.com ([207.91.166.2] (may be forged)) by arden.iss.net (8.8.6/8.7.3) with ESMTP id SAA27672 for <ntsecurity@iss.net>; Tue, 8 Jul 1997 18:17:52 -0400
Received: from rocket.ntshop.net (FROG.ntshop.com [207.91.166.52])
          by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296)
          with SMTP id AAA201; Tue, 8 Jul 1997 17:16:11 -0500
X-Mailer: Microsoft Outlook Express 4.71.0544.0
From: mark@ntshop.net (Mark Joseph Edwards)
To: "NT Security" <ntsecurity@iss.net>
Subject: [NTSEC] GetAdmin Hotfix
Date: Tue, 8 Jul 1997 17:17:40 -0500
X-Priority: 1
X-MSMail-Priority: High
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0
Message-ID: <19970708221601966.AAA201@rocket.ntshop.net>
Sender: owner-ntsecurity@iss.net
Precedence: bulk
Reply-To: mark@ntshop.net (Mark Joseph Edwards)
X-Loop: ntsecurity
X-Comment: TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
X-Comment: DO NOT send subscribe/unsubscribe messages to ntsecurity@iss.net


GetAdmin HOTFIX is ready for DL. Here's the KB article.Mark (http://www.ntse
curity.netftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/h
otfixes-postSP3/getadmin-fixDOCUMENT:Q146965
TITLE   :GetAdmin Utility Grants Users Administrative Rights
PRODUCT :Microsoft Windows NT
PROD/VER:4.00 with SP3
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbfile kbfix4.00 kbnetwork nt32ap ntsecurity NTSrvWkst

--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Workstation version 4.0 Service Pack 3
 - Microsoft Windows NT Server version 4.0 Service Pack 3
--------------------------------------------------------------------------

SYMPTOMS
========

A utility, Getadmin.exe, is being circulated on the Internet that grants
normal
users administrative rights by adding them to the Administrators group.
This
utility can be run from any user context except Guest and grants a local
user
account administrative rights.

CAUSE
=====

This problem occurs because of a problem in a low-level kernel routine
that
causes a global flag to be set which allows calls to NtOpenProcessToken to
succeed regardless of the current users permissions. This in turn allows
user
accounts to be granted administrative rights.

This problem only occurs on Windows NT 4.0 with Service Pack 3 installed.

RESOLUTION
==========

A fix has been developed by Microsoft which prevents this application from
granting administrative status to users. To resolve this problem, obtain
the
hotfix below, or wait for the next service pack.

NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying
this fix.

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
   hotfixes-postSP3/getadmin-fix

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.

MORE INFORMATION
================

Getadmin.exe must be executed locally and works for accounts on a
workstation or member server and for domain accounts on a primary domain
controller (PDC). The utility does not function on a backup domain
controller (BDC) because the account database on a BDC is read only. The
only way to use GetAdmin to modify a domain account database is to log on
to a primary domain controller and run the utility locally on the PDC.

Additional query words: 4.00 prodnt security hole breach

============================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.</XMP>
</FONT>
</BODY></HTML>


--------------415F331662F0--