Windows Security Concerns Rekindled
Microsoft Corp.’s operating systems have taken repeated rounds of criticism about their security over the past several years. Proving that new exploits continue to be found, during July and August the disclosure of two Windows-related security issues again brought the collective attention of the IT security community onto Windows operating systems.
In late July, Microsoft was notified that a program called SECHOLE.EXE, written by Prasad Dabak, Sandeep Phadke and Milind Borate -- three programmers from Pune, India, with master’s degrees in computer engineering -- enabled user privilege elevation by taking advantage of existing Windows NT services. By locating the OpenProcess API call in memory, SECHOLE.EXE could modify the instructions in the API call’s running instance and gain Debug-level access to a system. Once Debug-level access had been achieved, SECHOLE.EXE could then grant any user then logged into the system complete membership to the Administrators group in the local Security Account Manager database.
For its part, Microsoft reacted quickly, releasing an hotfix for SECHOLE.EXE hours later and rushing to reassure customers that the threat posed by SECHOLE.EXE wasn’t quite so substantive as it might seem. "In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to log in locally to the system," a Microsoft Security Bulletin (www.microsoft.com/security/bulletins/ms98-009.htm) reads. "Sensitive systems such as the Windows NT Domain Controllers where non-administrative users do not have any local log on rights by default are not susceptible to this threat."
Although Microsoft contends that "the attack cannot be used over the network [to] get domain administrative privileges remotely," the three SECHOLE.EXE creators disagree. They publicly indicated that they plan to make available a tweaked SECHOLE.EXE version that makes it possible to remotely become a domain administrator of any domain under which an attacker has login privileges.
Good physical security will prevent SECHOLE.EXE from posing a threat to most corporate networks, but some users still feel the existence of tools like this pose a serious threat because absolute physical security is difficult to guarantee. David Bovee, a security engineer with Internet and Web services provider Verio Northwest (Beaverton, Ore.), believes that Microsoft may be underestimating the importance of low-level exploits, and cautions administrators to be wary.
"One could argue that NT servers may not be specifically susceptible, because the default permissions do not allow nonadministrative users to log in," Bovee explains. "However, consider a compromised NT workstation where the log-in GUI was switched by the hacker to secretly capture usernames and passwords of those users changing passwords on the local workstation." "This could include a domain administrator who happens to use that workstation as a primary system. Given this string of exploits, a hacker could still gain domain root access.
If the disclosure of SECHOLE.EXE gained notoriety, the announcement of the so-called Back Orifice "tool" by the hacker group Cult of the Dead Cow (CDC, www.backorifice.net) approximated cyber-celebrity in its own right, even garnering substantial coverage in the general press.
CDC positions Back Orifice as a "remote administration system" that allows a user to surreptitiously control a Windows 9x computer across a TCP/IP connection using a simple console or GUI application. Because Back Orifice can be installed without an end user’s knowledge and doesn’t show up on the Windows 9x program list that is invoked when the CTRL-ALT-DEL key sequence is depressed, it could potentially compromise network security without a user’s knowledge.
Using a Back Orifice administrative GUI or command-line program, an unscrupulous hacker could share and unshare files on any Windows 9x workstation, or worse, retrieve passwords cached by the Windows 9x operating system. Back Orifice does not currently run on Windows NT.
As Frank Knobbe, a senior security consultant with systems integrator MicroAge (Nashville, Tenn., www.microage.com), notes, all of the publicity accorded Back Orifice can pose an additional danger to IT departments in the form of curious end users. "What frightens me is the publicity. Every John Doe that heard of Back Orifice can download and 'test' it in his corporate network," Knobbe asserts. "It’s a nightmare for any network administrator, not because [these end users] pose a threat to NT systems but because they are going to screw other Windows 95 machines up. People will nuke themselves silly."
Microsoft, too, acknowledges the possibility of a threat posed by Back Orifice to Windows 9x operating system, but maintains that Back Orifice is of no threat to either Windows NT Workstation or Windows NT Server. "There is no threat to customers of Windows NT Workstation or Windows NT Server," a Microsoft security bulletin (www.microsoft.com/security/bulletins/ms98-010.htm) asserts. "The program does not run on the Windows NT platform. The authors of ‘Back Orifice’ do not directly claim that their product poses any threat to Windows NT, even though it seems to be implied."
But it is Back Orifice’s purported inapplicability with regard to Windows NT that most troubles Verio Northwest’s Bovee, who has just completed a security analysis of the Back Orifice software for his company. "I programmed my screen saver with a pretty good password, and Back Orifice trivially decrypted it and spit it out to me," Bovee explains. "Likewise, I understand -- though I have not yet witnessed -- that it can decrypt the .PWL files that are created on 95/98 systems to ‘remember’ networking passwords."
Such encrypted .PWL files can contain cached Windows NT domain login credentials. According to Bovee, the availability of such credentials, even at the basic Windows NT "User" privilege level, could potentially become a major problem. "This is obviously where an enterprise would have to become quickly concerned," he emphasizes. "Most users cache their networking passwords, which -- guess what -- give the attacker a slew of login accounts/passwords that [he or she] can use to run GetAdmin or [any privilege elevation attack available to them] and thus compromise the larger network. This is key to the real problem with Back Orifice."
Microsoft has posted a hotfix for the SECHOLE.EXE privilege elevation exploit, available at: ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/priv-fix.
Information Security Systems Inc. (Atlanta, www.iss.net) has posted information to aid in the identification and removal of Back Orifice on Windows 9x systems, available at www.iss.net/xforce/alerts/advise5.html.