The information in this article applies to:
SYMPTOMS
A utility, Getadmin.exe, is being circulated on the Internet that grants
normal users administrative rights by adding them to the Administrators
group. This utility can be run from any user context except Guest and
grants a local user account administrative rights. CAUSE
Getadmin.exe works because of a problem in a low-level kernel routine that
causes a global flag to be set which allows calls to NtOpenProcessToken to
succeed regardless of the current users permissions. This in turn allows a
user to attach to any process running on the system, including a process
running in the system's security context, such as WinLogon. Once attached
to such a process, a thread can be started in the security context of the
process.
RESOLUTION
A fix to the Windows NT Kernel routine, which was being used to set the
global flag, has been developed by Microsoft. This fix prevents an
application, such as Getadmin.exe, from attaching to WinLogon (or any
other process not owned by the user) and from granting administrative
rights to users.
Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack For your convenience, the English version of this post-SP3 hotfix has been posted to the following Internet location. However, Microsoft recommends that you install Windows NT 4.0 Service Pack 4 to correct this problem. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/getadmin-fix STATUSMicrosoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4. MORE INFORMATION
Getadmin.exe must be executed locally and works for accounts on a
workstation or member server and for domain accounts on a primary domain
controller (PDC). The utility does not function on a backup domain
controller (BDC) because the account database on a BDC is read only. The
only way to use GetAdmin to modify a domain account database is to log on
to a primary domain controller and run the utility locally on the PDC.
http://www.microsoft.com/security/ NOTE: Because the Microsoft Web site is constantly updated, the site address may change without notice. If this occurs, link to the Microsoft home page at the following address: http://www.microsoft.com/ Additional query words: 4.00 security hole breach
Keywords : kbfile kbnetwork NT4SP4Fix ntsecurity kbbug4.00 kbfix4.00.sp4 nt32ap NTSrvWkst |
Last Reviewed: April 10, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |