Microsoft Security Bulletin MS01-008

Technical description:

The NTLM Security Support Provider (NTLMSSP) service in Windows NT 4.0 is responsible for handling NTLM authentication requests, and runs by default on all Windows NT 4.0 systems. A flaw in the service's implementation could allow a service request from an unprivileged process to cause code to run in the context of the NTLMSSP service, which runs with Local System privileges. This could enable an attacker to programmatically levy a request that would have the effect of running code of her choice with System privileges. Because of the mitigating factors discussed below, workstations and terminal servers be the machines at greatest risk under most conditions.

Mitigating factors:

Vulnerability identifier: CAN-2001-0016 

Tested Versions:

Microsoft tested Windows NT 4.0 and Windows® 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. If an attacker successfully exploited this vulnerability, she would gain complete control over the machine. This would allow her to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
In order to exploit this vulnerability, the attacker would need to already have the ability to execute code on the local system. This means the attacker would need the ability to log onto the machine interactively and run code on the system. By default, unprivileged users cannot interactively log onto NT4 Domain Controllers, and these machines would therefore be at less risk from this vulnerability.

What causes the vulnerability?
The NTLM Security Support Provider (NTLMSSP) service (present on every NT 4.0 system) contains a flaw that could enable a local user account to initiate a specially formed request to the NTLMSSP service that would execute arbitrary code with LocalSystem security privileges.
Commands executed with LocalSystem privileges are run with privileges equal to or greater than a local administrator account. With these privileges, the specified commands could take any action on the machine, including adding the locally logged-on user to the local administrators group.

What is NTLMSSP?
The NTLMSSP service handles authentication requests associated with the NTLM protocol. This service operates as part of the NT4 operating system and is enabled by default.

How could an attacker exploit this vulnerability?
She would first need the ability to interactively logon to the machine with valid user credentials. Once logged in, she would need to be able to copy custom code to the machine, and/or execute this code from a floppy disk or CD-ROM on the local machine. The custom code would need to contain specifically formatted commands to initiate communication with the NTLMSSP service and execute the arbitrary code of her choice.

What could the attacker if she exploited this vulnerability?
An attacker could use this vulnerability to run any code she wanted in the LocalSystem context - that is, as the operating system itself. This would allow her to take any desired action on the machine.

Could this vulnerability be executed remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.

Is this vulnerability present in Windows 2000? What about Windows NT 4.0 systems that were updgraded to Windows 2000?
The NTLMSSP service in Windows 2000 is not vulnerable to this flaw. Systems that were upgraded from NT 4.0 to Windows 2000 are also not susceptible to this flaw.

What does the patch do?
The patch causes the requests at issue here to be correctly treated as invalid.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Windows NT 4.0 Workstation, Server, or Server, Enterprise Edition Service Pack 6a or Windows NT 4.0 Server, Terminal Server Edition, Service Pack 6.

Inclusion in future service packs:

The fix for this issue will be included in Windows NT 4.0 Service Pack 7.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q280119.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q280119.

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches: 

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section