[helpc] Windows 2000, attaque indétectable
- From: "Angel" <angel.alexander@xxxxxxxxx>
- To: helpc@xxxxxxxxxxxxx
- Date: Mon, 01 Apr 2002 13:01:08 +0200
L?Université de Stuttgart vient de publier un correctif provisoire limitant les
risques d?attaque exploitant une faille de Windows NT en mode « debug ». Sans
entrer dans les détails, ce défaut court-circuite une étape de contrôle
préliminaire avant qu?un processus invoquant une opération de « déverminage »
soit pris en compte par le gestionnaire de sessions. L?exploit ne nécessite,
pour être mis en ?uvre, que d?une lecture attentive du mode de fonctionnement
et semble très difficile à détecter avec des méthodes de détection d?intrusion
classiques. Il n?existe pour l?heure aucune rustine conçue par Microsoft, mais
la publication de la méthode d?attaque devrait très probablement accélérer les
choses.
chsystem - Fixing ACLs on Windows
The chsystem program can be used to change permissions of named objects to
SYSTEM-only access, if a vendor neglected to set proper permissions.
See below for an application of chsystem to fix the so-called DebPloit
vulnerability (which allows all local users to gain SYSTEM access on Windows NT
and 2000 systems).
Installation
NOTE: CHSYSTEM COMES WITH ABSOLUTELY NO WARRANTY. USE IT AT YOUR OWN RISK. YOU
HAVE BEEN WARNED.
Install GNAT, the GNU Ada compiler, either from the official site, or from a
local mirror. You need to install both self-extracting EXE files, and
gnat-3.14p-nt.exe has to be installed first.
Download chsystem..adb (signature) and put it into a newly-created directory.
In this directory, invoke gnatmake chsystem to compile the program, using your
favorite command line shell.
Copy the compiled binary, chsystem.exe, to the preferred final place.
A precompiled version (signature) is also available. Note that, on Windows NT,
you have to obtain PSAPI dynamic link library PSAPI.DLL separately. This
redistributable file is part of the Microsoft Platform SDK. GNAT for Windows
also includes a copy of PSAPI.DLL.
Invocation
chsystem expects two parameters:
The name of the process for which objects should be changed. The expected name
is displayed by the Task Manager, for example.
The name of the object to be changed. This is application specific, of course.
chsystem exits with zero exit status if the SYSTEM-only ACL was applied
successfully. Otherwise, the exit status is non-zero, and an error message is
printed.
Fixing DebPloit
This program was primarily developed to have a temporary fix for the so-called
DebPloit vulnerability (which permits a local SYSTEM exploit, see the German
advisory from our notification service) for which full source code is
available. The required invocation for this application is:
chsystem smss.exe \DbgSsApiPort
Note that you have to escape the backslash "\" according to the needs of your
command line shell.
You have to execute the command above after each reboot; you should include it
in the startup script of your workstations.
Acknowledgements
chsystem is a libre (Free Software) reimplementation of DPfix by Radim "EliCZ"
Picha.
Please mail questions about chsystem to the author.
Angel A.
List admin.
angel.alexander@xxxxxxxxx
Other related posts:
- » [helpc] Windows 2000, attaque indétectable
