__________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Microsoft NTLMSSP Privilege Elevation Vulnerability

February 8, 2001 22:00 GMT                                        Number L-043
______________________________________________________________________________
PROBLEM:       A flaw in the NTLM Security Support Provider (NTLMSSP) service 
               allows a local user to initiate a specially formed request that
               executes arbitrary code with LocalSystem security privileges.
PLATFORM:      Windows NT 4.0 Workstation and Server
DAMAGE:        Elevation of privileges, resulting in possible Administrator
               compromise.  The user must be local. 
SOLUTION:      Apply the patches in this bulletin.  For servers, disallow non-
               privileged users from locally logging in (this is already a best
               business practice). 
______________________________________________________________________________
VULNERABILITY  MEDIUM. The adversary must have a valid local account with                        
ASSESSMENT:    execute privileges on the system to exploit this vulnerability 
               and elevate privileges. 
______________________________________________________________________________

[****** Start Microsoft Advisory ******]

-----BEGIN PGP SIGNED MESSAGE-----


- ---------------------------------------------------------------------
Title:  NTLMSSP Privilege Elevation Vulnerability
Date:           07 February 2001
Software:       Windows NT 4.0
Impact: Privilege Elevation
Bulletin:       MS01-008


Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/ms01-008.asp
- ---------------------------------------------------------------------


Issue:
======
A flaw in the NTLM Security Support Provider (NTLMSSP) service could
potentially allow a non-administrative user to gain administrative
control over the system. In order to perform this attack the user
would need a valid login account and the ability to execute arbitrary
code on the system.


Mitigating Controls:
====================
 - This vulnerability could only be exploited by an attacker
   who could log onto the affected machine interactively.


 - Servers could only be affected if the attacker were given the
   ability to load a program of her choice onto the machine and
   execute it locally.  Best practices recommend against this.


Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-008.asp
   for information on obtaining this patch.


Acknowledgment:
===============
 - Todd Sabin of BindView (http://razor.bindview.com)


- ----------------------------------------------------------------------


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3


iQEVAwUBOoHQDI0ZSRQxA/UrAQEYsAf+P433UquQRAqZRjPNGISjtT6NfI9ahVqp
7BYcOpkzNca2xox4e4My1ErNLJQvMjW9qWR/S6vuwW3qx7UymFDh2wReRujxNZWj
2B32SrWQTAwSZCvJZXWwVAQ0/Ad6YsZtSG0SmAnLJbXiWLhPmDpU1ewuvricHFoU
YixcN5wuAStMQc1ieK0jkI4UJRXXEzqxvWIgtC1TbC6m5MGYR/jXGONBQIsK66a9
gEbElK8oBIlX5nwBZR7K+5nHZrAmSy/pewSJLdUC2H68eKd/mPurMZtW7LpLRMuQ
QoZBtJrUzhf8xGYdyis5p1P5WL/LalE9xqQ/R6NfHjFQ92fxQlEKhw==
=BjqE
-----END PGP SIGNATURE-----


[****** End Microsoft Advisory ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-032: Class Loading Vulnerability in Sun Java (TM) Runtime Environment
L-033: Sun Java Web Server Vulnerability
L-034: HP Security Vulnerability in man(1) Command
L-035: HP-UX Support Tools Manager Vulnerability
L-036: FreeBSD procfs Vulnerabilities
L-037: FreeBSD periodic Uses Insecure Temporary Files
L-038: FreeBSD inetd ident Server Vulnerability
L-039: FreeBSD sort Uses Insecure Temporary Files
L-040: The Ramen Worm
L-041:  Microsoft Hotfix Packaging Anomalies
L-042: Compaq Web-enabled Management Software Buffer Overflow