-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Egon Verharen                               Index  :    S-99-10
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Update to Windows NT "KnownDLLs List" Vulnerability
                                                            Date   :  06-Mar-99
===============================================================================

By courtesy of Microsoft we received information on an update to Microsoft
Security Bulletin (MS99-006) : Fix Available for Windows NT "KnownDLLs List"
Vulnerability

CERT-NL recommends to inform yourself about the vulnerability described below
and if appropriate install the hot fix.

==============================================================================

Update to Microsoft Security Bulletin (MS99-006)
- ------------------------------------------------

Fix Available for Windows NT "KnownDLLs List" Vulnerability

Originally Posted: February 19, 1999
Updated: March 5, 1999

Summary
=======
This is an update to Microsoft Security MS99-006, which was originally
issued on February 19,  1999. Microsoft is issuing this updated bulletin to
inform customers of the availability of a  patch, and to update the list of
affected products.

Microsoft has learned of a vulnerability affecting all versions of
Microsoft(r) Windows NT(r)  operating system, which could allow a user to
gain administrative privileges on a computer. In  most common usage
scenarios, this vulnerability presents itself on workstations, terminal
servers, and other systems that allow non-administrative users to
interactively log on.  Less-common configurations could also be affected,
and are discussed below.

The privilege elevation can be prevented by applying a hot fix that changes
the default access  control settings on the relevant operating system
object. The hot fix is available for  downloading from the Microsoft FTP
site. Microsoft recommends that customers who previously made  a registry
change as a temporary workaround revert to the original registry setting and
use the  hot fix instead.

Issue
=====
In Windows NT, core operating system DLLs are kept in virtual memory and
shared between the  programs running on the system. This is done to avoid
having redundant copies of the DLLs in  memory, and improves memory usage
and system performance. When a program calls a function  provided by one of
these DLLs, the operating system references a data structure called the
KnownDLLs list to determine the location of the DLL in virtual memory. The
Windows NT security  architecture protects in-memory DLLs against
modification, but by default it allows all users to  read from and write to
the KnownDLLs list. This is the root problem underlying the vulnerability.

A user can programmatically load into memory a malicious DLL that has the
same name as a system  DLL, then change the entry in the KnownDLLs list to
point to the malicious copy. From that point  forward, programs that request
the system DLL will instead be directed to the malicious copy.  When called
by a program with sufficiently high privileges, it could take any desired
action,  such as adding the malicious user to the Administrators group.

It is important to understand that the user must able to run exploitation
code on a machine in  order to elevate their privileges. There are two types
of machines at risk:
 - Machines that allow non-administrative users to interactively
   log on. Workstation and terminal servers typically do allow this,
   but, per standard security practices, most other servers only allow
   administrators to interactively log on. (Even on workstations, it's
   worth noting that most workstation users already are administrators
   on the local machine).
 - Machines that allow remote users to submit arbitrary programs for
   execution. Servers such as domain controllers, line of business
   servers, application servers, print and file servers and the like
   typically do not accept arbitrary programs for execution.

It also is important to note that the scope of the privilege elevation is
highly dependent on the  specific machine on which the exploitation code is
run. For example, a user who exploited this  vulnerability on a workstation
could join the local Administrators group, but could not directly  exploit
this vulnerability to become a domain administrator. However, a user who
exploited this  vulnerability on a domain controller would be able to become
a domain Administrator, because the  domain SAM is shared among all domain
controllers.

While there are no reports of customers being adversely affected by this
privilege elevation  vulnerability, Microsoft is proactively providing
information to allow customers to prevent it.  The hot fix changes the
default permissions on the KnownDLLs list to read-only, and is the
recommended corrective action for this vulnerability. The initial version of
this bulletin  provided a workaround in the form of a registry change that
restricts users' ability to change  system base objects, including the
KnownDLLs list. Although the registry change corrects the  problem, it
encompasses a broader range of system behavior than the hot fix, and may not
be  appropriate for all systems.

Affected Software Versions
==========================
 - Microsoft Windows NT Workstation 4.0
 - Microsoft Windows NT Server 4.0
 - Microsoft Windows NT Server 4.0, Enterprise Edition
 - Microsoft Windows NT Server 4.0, Terminal Server Edition

What Microsoft is Doing
=======================
Microsoft has provided a patch that changes the default permissions on the
KnownDLLs list.  Information on the patch is provided below in What
Customers Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
 - Microsoft Knowledge Base (KB) article Q218473,
   Restricting Changes to Base System Objects,
   http://support.microsoft.com/support/kb/articles/q218/4/73.asp.
   (Note: It might take 24 hours from the original posting
   of this bulletin for the KB article to be visible in the
   Web-based Knowledge Base.)

What customers should do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability  poses to their systems and determine whether to download
and install the hot fix. The hot fix  changes the default permissions on the
KnownDLLs list, and is the recommended means of  eliminating the
vulnerability.

The hot fix can be found at:
 - X86-based Windows NT Workstation and Server 4.0
   (including Enterprise Edition):
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40/hotfixes-postSP4/Smss-fix/Smssfixi.exe
 - X86-based Windows NT Server 4.0, Terminal Server Edition:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40TSE/hotfixes-postSP3/Smss-fix/Smssfixi.exe
 - Alpha-based Windows NT Workstation and Server 4.0
   (including Enterprise Edition and Terminal Server Edition):
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40/hotfixes-postSP4/Smss-fix/Smssfixa.exe
 - Alpha-based Windows NT Server 4.0, Terminal Server Edition:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/
   usa/NT40TSE/hotfixes-postSP3/Smss-fix/Smssfixa.exe

(Note: the above URLs have been word-wrapped for readability)

Registry Change
===============
It is also possible to eliminate this vulnerability via a registry change
that enables stronger  protection on system base objects such as the
KnownDLLs list. However, because this registry  change affects all system
base objects, rather than just the KnownDLLs list, it may not be
appropriate for all systems. The recommended fix for this vulnerability is
via the hot fix  detailed above in What Customers Should Do. Customers who
previously used this registry change as  a temporary workaround may wish to
revert to their original setting and install the hot fix as a  permanent
solution.

Registry Change:
 - Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\
   Control\Session Manager
   (note: the key name has been word-wrapped for readability)
 - Name: ProtectionMode
 - Type:  REG_DWORD
 - Value: 1

NOTE: Incorrectly changing the system registry can damage your system or
render it inoperable,  and users undertake these changes at their own risk.
If you require assistance in making this  change, see Obtaining Support on
this Issue below.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-006,
   Fix Available for Windows NT "KnownDLLs List" Vulnerability
   (the Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms99-006.asp.
 - Microsoft Knowledge Base (KB) article Q218473,
   Restricting Changes to Base System Objects,
   http://support.microsoft.com/support/kb/articles/q218/4/73.asp.
 - Microsoft White Paper, Securing Windows NT Installation, available
   at http://www.microsoft.com/security/resources/whitepapers.asp and
   http://www.microsoft.com/ntserver/security/exec/
   overview/Secure_NTInstall.asp

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support.  For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges L0pht Heavy Industries (http://www.l0pht.com)
for discovering this vulnerability.

Revisions
=========
 - February 19, 1999: Bulletin Created
 - March 5, 1999: Bulletin Updated

For additional security-related information about Microsoft products,
please visit http://www.microsoft.com/security

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IpTSYjBqwfc9jEQKUXQCdEPjRyXnAFPPP/EUICY0IZZK1EjgAnjBe
OZShb0cDlA5GjRCsu33Z5gxG
=4Po+
-----END PGP SIGNATURE-----