Serious NT bug emerges

A flaw in Microsoft's business OS allows a network user, and potentially anyone with Internet access, to impersonate a system administrator.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
2 min read
A flaw in Microsoft's Windows NT operating system allows an ordinary network user, and possibly anyone with Internet access, to impersonate a system administrator.

Armed with knowledge of how to exploit this flaw, anyone on a Windows NT client on an NT network can gain the power to switch other users' passwords, add new addresses, change access rights to confidential network areas, and generally run the network in the same manner as an administrator, according to Mark Edwards, a private security consultant and principal behind the NT Security and NT Shop Web pages.

"It's a pretty big problem," he said. "Even though it's a local attack, it's probably one of the top five or six bugs [for Windows NT]."

Microsoft learned of the bug last week and will issue a patch and security advisory later this evening on its Security Advisor Web site, said Karan Khannan, product manager on the NT security team at Microsoft. The bug does not effect Microsoft's Domain Controller server, but it can affect other Microsoft servers.

The bug consists of code written by programmers. When executed through a seat on an NT network, it seeks out the highest system-level authority for the user that it can find. Inevitably, the program gets the network to grant the user "debug-level" rights. Once a user gains these rights, they are only a few steps away from having the same power as administrator.

The flaw affects both the server and workstation versions of NT 4.0 and 3.51, according to Khannan.

The malevolent user typically has to act from inside the network and execute the bug program from a computer on the network. Conceivably, however, an outside actor could exploit the flaw across the Internet if the network is also using Internet Information server from Microsoft, said Edwards.

Khannan denied that the bug can work remotely. "Somebody can use this program if they have physical access local log-on rights," he said. "Once they have this, they can get elevated privileges."

Prasad Dabak, Sandeep Phadke, and Milind Borate, three programmers from India, discovered the flaw late last year. Edwards recently verified the existence of the flaw. The bug is similar to another NT glitch discovered last year, he added.

The trio are in the midst of publishing a book tentatively titled "Undocumented Windows NT," a guide to undocumented API (application program interface) calls.