COMMAND

    NTLM

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Following is based on a BindView Security Advisory by Todd  Sabin.
    Due to a flaw in the NTLM Security Support Provider's handling  of
    client requests, it is possible  for local users to send  requests
    to the  privileged server  and make  the server  execute arbitrary
    code of the user's choosing.

    All Windows NT 4.0 machines are subject to compromise by any user
    who can  log in  locally and  run arbitrary  programs.  This could
    possibly lead to Domain Admin access, if Domain Admin  credentials
    are on the  machine.  In  the case of  Terminal Server, it  should
    also be  possible to  use the  credentials of  other users  on the
    compromised machine to  take actions across  the network as  those
    other users.

    The NTLM Security Support  Provider (NTLMSSP) service is  found in
    ntlmssps.dll and is  hosted by services.exe.   It handles most  of
    the  cryptographic  calculations  behind  the  NTLM  protocol  for
    clients.   It listens  for client  connections on  the LPC port at
    \NtLmSecuritySupportProviderPort.   Once  a  client  connects,  it
    sends requests to the NTLMSSP  to handle the various steps  in the
    NTLM protocol.  The client indicates which function it wants  done
    by putting the proper function  number in the first 32bit  word of
    its LPC request to the NTLMSSP.  The NTLMSSP then uses this number
    to index  a call  table and  calls the  associated function.   The
    NTLMSSP _does_ perform  a check on  the function number  to verify
    it's legal, but it does this check incorrectly, treating the index
    as signed instead of unsigned, so the check can be bypassed simply
    by making the number negative.

    So, the client  can use more  or less any  index it wants  to, but
    what can it use to jump  somewhere useful?  Well, it happens  that
    the   NtConnectPort   api   which   is   used   to   connect    to
    \NtLmSecuritySupportProviderPort allows the client to map a shared
    memory section into the server's  address space, and is even  kind
    enough to  tell the  client what  address it  was mapped  at.  The
    client  can  then  calculate  the  proper  index to call through a
    pointer in  the first  32bits of  that section,  and put a pointer
    there to  the rest  of the  section.   He can  then fill that with
    whatever code he wants.  When  he makes the proper request to  the
    NTLMSSP, it will then call through to his code, and execute it  as
    SYSTEM.

SOLUTION

    Windows 2000 is _not_ affected.  Install the hotfix from MS:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804

    Microsoft's Knowledge Base article:

        http://www.microsoft.com/technet/support/kb.asp?ID=280119