Local Procedure Call May Permit Unauthorized Account Usage

• Microsoft Windows NT Workstation version 4.0
• Microsoft Windows NT Server version 4.0
• Microsoft BackOffice Server version 4.0
• Microsoft BackOffice Small Business Server version 4.5
• Microsoft Windows NT Server, Enterprise Edition version 4.0

SYMPTOMS

On a computer that is running Windows NT 4.0, it is possible for a malicious user to use a program that makes a specific local procedure call (LPC) to impersonate any other user who has local logon privileges and run any program, including programs that can run in the LocalSystem context. If the domain administrator's credentials are present on the computer, this could result in compromised security for the domain.

RESOLUTION

The following files are available for download from the Microsoft Download Center. Click the file names below to download the files:

Q247869i.exe for Intel-based computers

Q247869a.exe for Alpha-based computers

http://www.microsoft.com/downloads/search.asp

   Date       Time     Size        File name      Platform
   -------------------------------------------------------
   12/02/99   01:34p     952,960   Ntkrnlmp.exe   Intel
   12/02/99   01:33p     932,736   Ntoskrnl.exe   Intel
   12/02/99   01:32p   1,400,256   Ntkrnlmp.exe   Alpha
   12/02/99   01:32p   1,372,032   Ntoskrnl.exe   Alpha 

STATUS

Microsoft has confirmed this to be a problem in Windows NT 4.0.

MORE INFORMATION

For additional information about local procedure calls, see pages 95 and 119 of the Microsoft Windows NT Workstation 4.0 Resource Kit.

For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms00-003faq.asp

http://www.microsoft.com/security/

Additional query words: NtImpersonateClientOfPort LocalSystem

Keywords : ntdomain ntsecurity ntsp kbbug4.00 kbfix4.00
Version : winnt:4.0,4.5
Platform : winnt
Issue type : kbbug