[Dshield] New XP Flaw - cross post from bugtraq

Ed Truitt ed.truitt at etee2k.net
Thu Feb 19 20:01:00 GMT 2004


On Thu, Feb 19, 2004 at 07:33:19AM -0600, Carboni, Chris wrote:
> Don't shoot the messenger. ;)
> 
> Also available at
> http://www.securitytracker.com/alerts/2004/Feb/1009128.html
> 
> This could get ugly in a hurry, especially if other versions are shown to be
> vulnerable.
> 
> 
> 
> Snip
> 
> Multiple WinXP kernel vulns can give user mode programs kernel mode
> privileges
> 
> Summary
> =======
> 
> There exist several vulnerabilities in one of Windows XP kernel's native API
> functions which allow any user with the SeDebugPrivilege privilege to
> execute arbitrary code in kernel mode, and read from and write to any memory
> address, including kernel memory.
> 
> Tested systems
> ==============
> 
> Windows XP Pro SP1 with latest patches
> 
> It's likely that Windows 2003 also is vulnerable.
> 
> Details
> =======
> 
> ZwSystemDebugControl(), exported from ntdll.dll, calls a Windows operating
> system function NtSystemDebugControl(). This function is executed in ring 0
> (kernel mode) and is meant to be used by user mode debuggers having the
> SeDebugPrivilege privilege.
Yeah, we looked at this at work today.  Basically, if you have Administrator rights, you can assign yourself the SoDebugPrivilege right.  So, if you are Administrator, then you can do pretty much anything you want.  That may be a design flaw, but it isn't a bug - it's the way Windows works.  BTW, if you are "root" on a *nix box, you can also do lots of Very Bad Things to yourself (and other users on the box.)  No big deal, we have known about this for some time.

The "fix" for this is not Yet Another Patch, but hire trustworthy administrators.  And, if you can't trust them, get rid of them and hire someone you can.  Or, use an OS like Plan9, which doesn't have a concept of "Root" (or "SuperUser", which is pretty much the same as Administrator.)

-- 
<==============================================================>
Edward D. (Ed) Truitt
email:  ed.truitt at etee2k.net      
http://www.etee2k.net 
"Note to spammers: my 'delete' key is connected to YOUR ISP. 
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."




More information about the list mailing list