• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Windows NT 'NTLMSSP' Privilege Escalation Vulnerability

Severity: MODERATE

Description:

The NTLM Security Support Provider (NTLMSSP) service manages authentication requests related to the NTLM protocol. It implemented in the "ntlmssps.dll" DLL and its hosted by the "services.exe" process. As the "services.exe" process executes in the Local System security context so does the NTLMSSP service.

Communication with the NTLMSSP service is accomplished via the Local Procedure Call (LPC) IPC mechanism. The service waits for requests in the "\NtLmSecuritySupportProviderPort" LPC port. Any local process can connect to this port and send requests to the NTLMSSP service.

The requests to the NTLMSSP service include an integer which indicates which of the functions offered by the NTLMSSP service the client wishes to call. The NTLMSSP service uses this integer as an index into a table of functions to select the appropriate function which it tend executes.

While the NTLMSSP service performs some checks on the value of the function index supplied by the calling process it treats the index as signed integer during these checks. Thus the checks can be bypassed by sending the service a negative index number. This allows the client to fool the service into executing code pointed at by some memory location in the address space of the service in the Local System security context.

Local System privileges are equivalent or above administrator access levels. If these privileges were gained an attacker would gain complete control over the system.

To successfully make use of the vulnerability an attacker would need to find the code he wishes to execute and a memory location that holds the address of such code in the address space of the NTLMSSP service.

An attacker is aided by the fact that the NtConnectPort() function used to establish LPC communication with the service can be used by the client to map a shared memory segment into the address space of the server and learn at what address in the address space of the server it was mapped. Thus an attacker can write into the shared memory the pointer to the code he wishes to execute, write into the shared memory segment the code he wishes to execute, and calculate the index to use in a request to the NTLMSSP service such that the code in the shared memory segment is executed by the service under the Local System security context.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S8100 Media Servers
• Microsoft Windows NT Enterprise Server 4.0
• Microsoft Windows NT Enterprise Server 4.0 SP1
• Microsoft Windows NT Enterprise Server 4.0 SP2
• Microsoft Windows NT Enterprise Server 4.0 SP3
• Microsoft Windows NT Enterprise Server 4.0 SP4
• Microsoft Windows NT Enterprise Server 4.0 SP5
• Microsoft Windows NT Enterprise Server 4.0 SP6
• Microsoft Windows NT Enterprise Server 4.0 SP6a
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Server 4.0 SP1
• Microsoft Windows NT Server 4.0 SP2
• Microsoft Windows NT Server 4.0 SP3
• Microsoft Windows NT Server 4.0 SP4
• Microsoft Windows NT Server 4.0 SP5
• Microsoft Windows NT Server 4.0 SP6
• Microsoft Windows NT Server 4.0 SP6a
• Microsoft Windows NT Terminal Server 4.0
• Microsoft Windows NT Terminal Server 4.0 SP1
• Microsoft Windows NT Terminal Server 4.0 SP2
• Microsoft Windows NT Terminal Server 4.0 SP3
• Microsoft Windows NT Terminal Server 4.0 SP4
• Microsoft Windows NT Terminal Server 4.0 SP5
• Microsoft Windows NT Terminal Server 4.0 SP6
• Microsoft Windows NT Workstation 4.0
• Microsoft Windows NT Workstation 4.0 SP1
• Microsoft Windows NT Workstation 4.0 SP2
• Microsoft Windows NT Workstation 4.0 SP3
• Microsoft Windows NT Workstation 4.0 SP4
• Microsoft Windows NT Workstation 4.0 SP5
• Microsoft Windows NT Workstation 4.0 SP6
• Microsoft Windows NT Workstation 4.0 SP6a

References:

• Microsoft: Microsoft Security Bulletin (MS01-008)
• Microsoft: Microsoft Security Bulletin (MS01-008):Frequently Asked Questions

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.