Reporter Packet Storm
`Subject: Exploiting DCOM to gain Administrative rights on Windows NT 4
By using a combination of problems it is a relatively easy matter for a
local user to gain administrative rights on a Windows NT 4 Server or
though this situation is easily rectifiable.
1) The default configuration permissions on Windows NT allow the Interactive
that is the user currently logged on, to make modifications to the way a
server should be run. Basically this means they can modify the subkeys under
the HKCR\AppID registry key where information pertaining to the way these
should be run is stored. Choosing an example that'll be on the majority of
consider Wordpad. Wordpad is a registered DCOM server. By navigating to the
registry key and adding a new value, "LocalService", and supplying the name
of a system
service a normal user will be able to start (a service) one of their
2) After an install of certain software by an administrator new system
be registered, but not necessarily started automatically. Added to this the
on the service's image file may be lax. Consider an install of Internet
A system service, the System Event Notification service or SENS, is
the HKLM\CurrentControlSet\Services registry key but is not started. The
rights allow Everybody to overwrite the file.
Overwriting a service's image file with an "exploit" and getting it to run
as system is hardly brain
surgery, in so far as using it in a way to leverage more access to a system
anyway. The problem lies in trying to get the service to run - a normal user
open the Services Control Panel applet and start a service.
Enter DCOM - stage right. Using a simple VBScript in an HTML document, such
an opening it will cause the browser request of the COM Service Control
Manager (RPCSS.EXE) that it start
the server so it can create an instance of the wordpad.document.1 class.
RPCSS looks at the
key and decides how to start it. Going back to stage 1) above let's assume
we supplied "SENS" as the data
for the LocalService we added. RPCSS will go ahead and start the SENS
service because the default launch
permissions allow the Interactive User to do so.
All that this takes is for one of the HKCR\AppID registry key to have the
default permissions and for
a normal user to be able to overwrite one .exe or .dll that a non-started
system service uses for an
NT system to be vulnerable.
Needless to say tightening the permissions of the relevant keys and files
will resolve this problem.
NB ~ Windows 2000 will allow Power Users, Server Operators etc to gain Admin
rights using similar methods.