L?Université de Stuttgart vient de publier un correctif provisoire limitant les risques d?attaque exploitant une faille de Windows NT en mode « debug ». Sans entrer dans les détails, ce défaut court-circuite une étape de contrôle préliminaire avant qu?un processus invoquant une opération de « déverminage » soit pris en compte par le gestionnaire de sessions. L?exploit ne nécessite, pour être mis en ?uvre, que d?une lecture attentive du mode de fonctionnement et semble très difficile à détecter avec des méthodes de détection d?intrusion classiques. Il n?existe pour l?heure aucune rustine conçue par Microsoft, mais la publication de la méthode d?attaque devrait très probablement accélérer les choses. chsystem - Fixing ACLs on Windows The chsystem program can be used to change permissions of named objects to SYSTEM-only access, if a vendor neglected to set proper permissions. See below for an application of chsystem to fix the so-called DebPloit vulnerability (which allows all local users to gain SYSTEM access on Windows NT and 2000 systems). Installation NOTE: CHSYSTEM COMES WITH ABSOLUTELY NO WARRANTY. USE IT AT YOUR OWN RISK. YOU HAVE BEEN WARNED. Install GNAT, the GNU Ada compiler, either from the official site, or from a local mirror. You need to install both self-extracting EXE files, and gnat-3.14p-nt.exe has to be installed first. Download chsystem..adb (signature) and put it into a newly-created directory. In this directory, invoke gnatmake chsystem to compile the program, using your favorite command line shell. Copy the compiled binary, chsystem.exe, to the preferred final place. A precompiled version (signature) is also available. Note that, on Windows NT, you have to obtain PSAPI dynamic link library PSAPI.DLL separately. This redistributable file is part of the Microsoft Platform SDK. GNAT for Windows also includes a copy of PSAPI.DLL. Invocation chsystem expects two parameters: The name of the process for which objects should be changed. The expected name is displayed by the Task Manager, for example. The name of the object to be changed. This is application specific, of course. chsystem exits with zero exit status if the SYSTEM-only ACL was applied successfully. Otherwise, the exit status is non-zero, and an error message is printed. Fixing DebPloit This program was primarily developed to have a temporary fix for the so-called DebPloit vulnerability (which permits a local SYSTEM exploit, see the German advisory from our notification service) for which full source code is available. The required invocation for this application is: chsystem smss.exe \DbgSsApiPort Note that you have to escape the backslash "\" according to the needs of your command line shell. You have to execute the command above after each reboot; you should include it in the startup script of your workstations. Acknowledgements chsystem is a libre (Free Software) reimplementation of DPfix by Radim "EliCZ" Picha. Please mail questions about chsystem to the author. Angel A. List admin. angel.alexander@xxxxxxxxx