November 17, 2000
by Chris Allen
One of my users managed to get admin access on my computers and changed the passwords on my Admin accounts. This was when I started my search for the way it was done, to recover I booted from one of my repair disks to use my old SAM accounts which I replaced using MSDOS. After that I went on the web to search for the way it was done. To do this I visited the Hakerz hideout and checked the archives finding the program GetAdmin, it allowed an normal user to grant themselves admin access to a computer running NT 4.0. So long as it did not have service pack 4 installed which contained the fix it would work. This is the line of code that allows it to work. ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any process in the system, because function NtOpenProcess does not checks for a SE_DEBUG_PRIVILEGE when bit in NtGlobalFlag+2 is set. Aftermore, program injects DLL in the winlogon process. Winlogon is running under the SYSTEM account so it can add / remove user in the Administrators group.
The bug is in the subfunction of NtAddAtom which does not check an output address . So it's possible to write into kernel memory. Of course it's not necessary to inject DLL into winlogon to get admin rights. You can simply replace some part of ntoskernel or replace process token and etc.
Patch ntoskernel and replace function NtAddAtom so it checks for valid address. You can block access to the kernal memory but it doesn't really work due to the ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); line of code.
Get the Microsoft hotfix at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/getadmin-fix