SecHole Lets Non-administrative Users Gain Debug Level Access to a System Process

This article was previously published under Q190288
This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
A utility, Sechole.exe, is being circulated on the Internet that performs avery sophisticated set of steps that allows a non-administrative user togain debug-level access on a system process. Using this utility, the non-administrative user is able to run some code in the system security contextand thereby grant himself or herself local administrative privileges on thesystem.
CAUSE
Sechole.exe locates the memory address of a particular API function(OpenProcess) and modifies the instructions at that address in a runningimage of the exploit program on the local system. Sechole.exe requestsdebug rights that gives it elevated privileges. The request is successfulbecause the access check for this right is expected to be done in the APIthat was successfully modified by the exploit program. Sechole.exe can nowadd the user who invoked Sechole.exe to the local Administrators group.
RESOLUTION

Windows NT 4.0

To resolve this problem, obtain the latest service pack for Windows NTversion 4.0. For more information, please see the following article in theMicrosoft Knowledge Base.

ARTICLE-ID: 152734
TITLE : How To Obtain the Latest Windows NT 4.0 Service Pack


While this hotfix is included with Service Pack 4, it is also availableindividually. This hotfix ensures that the access check to grant any rightsis done by the server and not the client. This fix has been posted asPrivfixi.exe (x86) and Privfixa.exe (Alpha). For your convenience, theEnglish version of this post-SP3 hotfix has been posted to the followingInternet location. However, Microsoft recommends that you install WindowsNT 4.0 Service Pack 4 to correct this problem.



Windows NT Server version 4.0, Terminal Server Edition

To resolve this problem, obtain the latest service pack for Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

This hotfix ensures that the access check to grant any rights is done bythe server and not the client. This fix has been posted to the followingInternet location as Privfixi.exe (x86) and Privfixa.exe (Alpha):

Windows NT 3.51

Microsoft has confirmed this problem could result in some degree ofsecurity vulnerability in Windows NT version 3.51. A fully supported fix isnow available, but it has not been fully regression tested and should onlybe applied to systems determined to be at risk of attack. Please evaluateyour system's physical accessibility, network and Internet connectivity,and other factors to determine the degree of risk to your system. If yoursystem is sufficiently at risk, Microsoft recommends you download the fixas described below and apply this fix.

For a complete list of Microsoft Technical Support phone numbers andinformation on support costs, please go to the following address on theWorld Wide Web:

This fix should have the following file attributes:

DateTimeSizeFile NamePlatform
07/31/9802:47p31,184Csrsrv.dllx86
07/31/9802:48p4,400Csrss.exex86
07/31/9805:47p48,400Csrsrv.dllAlpha
07/31/9805:48p5,904Csrss.exeAlpha


This hotfix ensures that the access check to grant any rights is done bythe server and not the client. This fix has been posted to the followingInternet location as Privfixi.exe (x86) and Privfixa.exe (Alpha):

MORE INFORMATION
This exploit can potentially allow a non-administrative user to gain localadministrative access to the system and thereby elevate his or herprivileges on the system. To perform this attack, the user has to have avalid local account on the system and has to have physical access to thecomputer to log on locally to the system.

Sensitive systems, such as the Windows NT domain controllers where non-administrative users do not have any local log on rights by default, arenot susceptible to this threat. The attack cannot be used over the networkto get domain administrative privileges remotely.

For more information, please see the following Microsoft Security Bulletinat:

For additional security-related information about Microsoft products,please go to:

STATUS

Windows NT 4.0 and Windows NT Server version 4.0, Terminal Server Edition

Microsoft has confirmed this problem could result in some degree ofsecurity vulnerability in Windows NT version 4.0 and Windows NT Server version 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Windows NT 3.51

Microsoft has confirmed this problem could result in some degree ofsecurity vulnerability in Windows NT version 3.51.
Windows NT Privilege Elevation attack getadmin tse wts
Properties

Article ID: 190288 - Last Review: 10/09/2013 19:58:52 - Revision: 1.3

  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • kbnosurvey kbarchive kbbug kbfix KB190288
Feedback