Windows Security Concerns Rekindled

ENT, Sept 10, 1998 by Stephen Swoyer

In late July, Microsoft was notifi- ed that a program called SECHOLE. EXE, written by Prasad Dabak, Sandeep Phadke and Milind Borate -- three programmers from Pune, India, with master's degrees in computer engineering -- enabled user privilege elevation by taking advantage of existing Windows NT services. By locating the OpenProcess API call in memory, SECHOLE.EXE could modify the instructions in the API call's running instance and gain Debug-level access to a system. Once Debug-level access had been achieved, SECHOLE.EXE could then grant any user then logged into the system complete membership to the Administrators group in the local Security Account Manager database.

For its part, Microsoft reacted quickly, releasing a hotfix for SECHOLE.EXE hours later and rushing to reassure customers that the threat posed by SECHOLE.EXE wasn't quite so substantive as it might seem. "In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to log in locally to the system," a Microsoft Security Bulletin (www.microsoft. com/security/bulletins/ms98-009.htm) reads. "Sensitive systems such as the Windows NT Domain Controllers where non-administrative users do not have any local log on rights by default are not susceptible to this threat." Although Microsoft contends that "the attack cannot be used over the network [to] get domain administrative privileges remotely," the three SECHOLE.EXE creators disagree. They publicly indicated that they plan to make available a tweaked SECHOLE.EXE version that makes it possible to remotely become a domain administrator of any domain under which an attacker has login privileges.

Good physical security will prevent SECHOLE.EXE from posing a threat to most corporate networks, but some users still feel the existence of tools like this pose a serious threat because absolute physical security is difficult to guarantee. David Bovee, a security engineer with Internet and Web services provider Verio Northwest (Beaverton, Ore., www.verio.com), believes that Microsoft may be underestimating the importance of low-level exploits, and cautions administrators to be wary.

"One could argue that NT servers may not be specifically susceptible, because the default permissions do not allow nonadministrative users to log in," Bovee explains. "However, consider a compromised NT workstation where the log-in GUI was switched by the hacker to secretly capture usernames and passwords of those users changing passwords on the local workstation. This could include a domain administrator who happens to use that workstation as a primary system. Given this string of exploits, a hacker could still gain domain root access.

If the disclosure of SECHOLE. EXE gained notoriety, the announcement of the so-called Back Orifice "tool" by the hacker group Cult of the Dead Cow (CDC, www.backorifice. net) approximated cyber-celebrity in its own right, even garnering substantial coverage in the general press.

CDC positions Back Orifice as a "remote administration system" that allows a user to surreptitiously control a Windows 9x computer across a TCP/IP connection using a simple console or GUI application. Because Back Orifice can be installed without an end user's knowledge and doesn't show up on the Windows 9x program list that is invoked when the CTRL-ALT-DEL key sequence is depressed, it could potentially compromise network security without a user's knowledge.

Using a Back Orifice administrative GUI or command-line program, an unscrupulous hacker could share and unshare files on any Windows 9x workstation, or worse, retrieve passwords cached by the Windows 9x operating system. Back Orifice does not currently run on Windows NT.

As Frank Knobbe, a senior security consultant with systems integrator MicroAge (Nashville, Tenn., www. microage.com), notes, all of the publicity accorded Back Orifice can pose an additional danger to IT departments in the form of curious end users. "What frightens me is the publicity. Every John Doe that heard of Back Orifice can download and 'test' it in his corporate network," Knobbe asserts. "It's a nightmare for any network administrator, not because [these end users] pose a threat to NT systems but because they are going to screw other Windows 95 machines up. People will nuke themselves silly."

Microsoft, too, acknowledges the possibility of a threat posed by Back Orifice to Windows 9x operating systems, but maintains that Back Orifice is of no threat to either Windows NT Workstation or Windows NT Server. "There is no threat to customers of Windows NT Workstation or Windows NT Server," a Microsoft security bulletin (www.microsoft.com/security/bulletins/ms98-010.htm) asserts. "The program does not run on the Windows NT platform. The authors of 'Back Orifice' do not directly claim that their product poses any threat to Windows NT, even though it seems to be implied."