dcom_exploit.txt

1999-09-19T00:00:00
ID PACKETSTORM:15648
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: Exploiting DCOM to gain Administrative rights on Windows NT 4  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
By using a combination of problems it is a relatively easy matter for a  
local user to gain administrative rights on a Windows NT 4 Server or  
Workstation,  
though this situation is easily rectifiable.  
  
  
1) The default configuration permissions on Windows NT allow the Interactive  
User,  
that is the user currently logged on, to make modifications to the way a  
DCOM  
server should be run. Basically this means they can modify the subkeys under  
the HKCR\AppID registry key where information pertaining to the way these  
servers  
should be run is stored. Choosing an example that'll be on the majority of  
machines  
consider Wordpad. Wordpad is a registered DCOM server. By navigating to the  
  
  
HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}  
  
  
registry key and adding a new value, "LocalService", and supplying the name  
of a system  
service a normal user will be able to start (a service) one of their  
choosing.  
  
  
2) After an install of certain software by an administrator new system  
services can  
be registered, but not necessarily started automatically. Added to this the  
NTFS rights  
on the service's image file may be lax. Consider an install of Internet  
Explorer 5.  
A system service, the System Event Notification service or SENS, is  
registered under  
the HKLM\CurrentControlSet\Services registry key but is not started. The  
default NTFS  
rights allow Everybody to overwrite the file.  
  
  
Overwriting a service's image file with an "exploit" and getting it to run  
as system is hardly brain  
surgery, in so far as using it in a way to leverage more access to a system  
is concerned  
anyway. The problem lies in trying to get the service to run - a normal user  
just can't  
open the Services Control Panel applet and start a service.  
  
  
Enter DCOM - stage right. Using a simple VBScript in an HTML document, such  
as  
  
  
<SCRIPT LANGUAGE="VBScript">  
CreateObject("Wordpad.Document.1")  
</SCRIPT>  
  
  
an opening it will cause the browser request of the COM Service Control  
Manager (RPCSS.EXE) that it start  
the server so it can create an instance of the wordpad.document.1 class.  
RPCSS looks at the  
  
  
HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}  
  
  
key and decides how to start it. Going back to stage 1) above let's assume  
we supplied "SENS" as the data  
for the LocalService we added. RPCSS will go ahead and start the SENS  
service because the default launch  
permissions allow the Interactive User to do so.  
  
  
  
All that this takes is for one of the HKCR\AppID registry key to have the  
default permissions and for  
a normal user to be able to overwrite one .exe or .dll that a non-started  
system service uses for an  
NT system to be vulnerable.  
  
  
Needless to say tightening the permissions of the relevant keys and files  
will resolve this problem.  
  
  
NB ~ Windows 2000 will allow Power Users, Server Operators etc to gain Admin  
rights using similar methods.  
  
  
Cheers,  
David Litchfield  
http://www.arca.com  
http://www.infowar.co.uk/mnemonix  
`