Exploit for Microsoft Windows 2000 and Windows NT
released around March 14, 2002 (1) that grants full Administrator privileges to
any user. Basically, it hijacks any
currently-running process with higher
privileges than you and gives you its
privileges. (We'll call that process Target
from now on.) It takes advantage of a
bug in these OSs'
debugging routines. How it works: (2)
Principle: Ask debugging subsystem to create (duplicate) handles to Target for you.
- Become dbgss client (DbgUiConnectToDbg).
- Connect to DbgSsApiPort LPC port (ZwConnectPort). Everyone has access to this port.
- Ask dbgss to handle CreateProcess SsApi with client id (or pid or tid only) of Target (ZwRequestPort).
- Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT(WaitForDebugEvent). Message contains duplicated handle(s).
- When debugger's thread terminates (e.g. on logoff), Target process or thread is terminated too (like it was regularly debugged).
As of its release around March 14, 2002, Microsoft had released no patch for it. This is still true today (3).
So, it gets access to the public debugging APIs, abuses them, and, in step 4, has hijacked the process. Furthermore, as the exploit does not change existing credentials for the user, minimal logging of the attack is possible. The sample exploit included performs a system() call after hijacking the process; it asks you what program to run.
The current location of the exploit is: http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip. The exploit is written by Radim Picha, who calls himself EliCZ. The author has a discussion board put up at http://disc.server.com/Indices/148775.html.
I have tried the exploit against my Win 2K system, and it works fine. If you need help, /msg me. Please also /msg me with systems you've tested, as I'd like to add a list of vulnerable systems to this node.
- Release date estimated from BugTraq message date.
- How it works segment taken from DebPloit distribution file.
- If this assertion becomes wrong, I'll change this to: Microsoft releasted a patch on date in Knowledge Base Article Qxxxxxx.