Windows Under Siege

The general consensus among many in the IT security community is that Microsoft’s Windows family of operating systems -- including Windows 95, Windows 98 and Windows NT -- is inherently unsecured. During the months of July and August, the disclosure of at least two salient Windows-related security issues once again brought the collective attention of the IT security community to bear on the Windows operating systems.

In late July, Microsoft was notified that a program called SECHOLE.EXE, written by Prasad Dabak, Sandeep Phadke and Milind Borate -- three programmers from Pune, India with master’s degrees in computer engineering, facilitated a user privilege elevation exploit by taking advantage of existing Windows NT services. By locating the OpenProcess API call in memory, SECHOLE.EXE could then modify the instructions in the API call’s running instance and gain Debug-level access to a system. Once Debug-level access had been achieved, SECHOLE.EXE could grant any user then logged into the system complete membership to the Administrators group in the local SAM database.

For its part, Microsoft reacted with alacrity, releasing a hotfix for SECHOLE.EXE literally hours later and rushing to reassure customers that the threat posed by SECHOLE.EXE wasn’t quite so substantive as it might ostensibly seem. "In order to perform this attack the user has to have a valid local account on the system and be able to run arbitrary code on the system. Normally this means they must have physical access to the computer in order to login in locally to the system," a Microsoft Security Bulletin (www.microsoft.com/security/bulletins/ms98-009.htm) reads. "Sensitive systems such as the Windows NT Domain Controllers where non-administrative users do not have any local logon rights by default are not susceptible to this threat."

With regard to Microsoft’s contention that "the attack cannot be used over the network [to] get domain administrative privileges remotely," the three SECHOLE.EXE creators disagree. They have publicly indicated their plan to make available a tweaked SECHOLE.EXE version that makes it possible to remotely become a domain administrator of any domain under which an attacker has login privileges.

Disregarding for the moment the question of SECHOLE.EXE’s applicability as a network threat, David Bovee, a security engineer with Internet and Web services provider Verio Northwest (Beaverton, Ore.), believes Microsoft may have underestimated the importance of such a low-level exploit on a more fundamental level, and cautions administrators to be wary.

"One could argue that NT servers may not be specifically susceptible because the default permissions do not allow non-administrative users to log in. However, consider a compromised NT workstation where the log-in GUI was switched by the hacker to secretly capture usernames and passwords of those users changing passwords on the local workstation," Bovee explains. "This could include a domain administrator who happens to use that workstation as a primary system. Given this string of exploits, a hacker could still gain domain root access.