Exploiting DCOM to gain administrative rights on Windows NT 4


By using a combination of problems it is a relatively easy matter for a local user to gain administrative rights on a Windows NT 4 Server or Workstation, though this situation is easily rectifiable.

1) The default configuration permissions on Windows NT allow the Interactive User, that is the user currently logged on, to make modifications to the way a DCOM server should be run. Basically this means they can modify the subkeys under the HKCR\AppID registry key where information pertaining to the way these servers should be run is stored. Choosing an example that'll be on the majority of machines consider Wordpad. Wordpad is a registered DCOM server. By navigating to the

HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

registry key and adding a new value, "LocalService", and supplying the name of a system service a normal user will be able to start (a service) one of their choosing.

2) After an install of certain software by an administrator new system services can be registered, but not necessarily started automatically. Added to this the NTFS rights on the service's image file may be lax. Consider an install of Internet Explorer 5. A system service, the System Event Notification service or SENS, is registered under the HKLM\CurrentControlSet\Services registry key but is not started. The default NTFS rights allow Everybody to overwrite the file.

Overwriting a service's image file with an "exploit" and getting it to run as system is hardly brain surgery, in so far as using it in a way to leverage more access to a system is concerned anyway. The problem lies in trying to get the service to run - a normal user just can't open the Services Control Panel applet and start a service.

Enter DCOM - stage right. Using a simple VBScript in an HTML document, such as

<SCRIPT LANGUAGE="VBScript">
CreateObject("Wordpad.Document.1")
</SCRIPT>

an opening it will cause the browser request of the COM Service Control Manager (RPCSS.EXE) that it start the server so it can create an instance of the wordpad.document.1 class. RPCSS looks at the

HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

key and decides how to start it. Going back to stage 1) above let's assume we supplied "SENS" as the data for the LocalService we added. RPCSS will go ahead and start the SENS service because the default launch permissions allow the Interactive User to do so.

All that this takes is for one of the HKCR\AppID registry key to have the default permissions and for a normal user to be able to overwrite one .exe or .dll that a non-started system service uses for an NT system to be vulnerable.

Needless to say tightening the permissions of the relevant keys and files will resolve this problem.

NB ~ Windows 2000 will allow Power Users, Server Operators etc to gain Admin rights using similar methods.

Cheers,
David Litchfield

Back