Case Sensitivity vulnerability: Description: Using the permissions on the "\??" object directory and by exploiting the case sensitivity of object manager it is possible to trojan any system executables. Problem: Any ordinary user has write permissions on \?? Object directory. This is to allow user to map network drives or use "subst" utility to alias a directory to a new drive letter. Each drive on the system (let it be local/network/substed) has an entry into \?? object directory. Each entry is actually a symbolic link which points to the device associated with that drive. (e.g Symbolic link \??\C: will typically point to a device such as \Device\HardDisk0\Partition1). It is possible to create a trojaned version of this symbolic link using the different case. e.g it is possible to create a symbolic link such as \??\c: (notice the small letter ‘c’). By doing this, all the requests to drive C gets routed through the trojaned symbolic link. (e.g If you get the contents of symbolic link \??\D: and create a symbolic link say \??\c: and put those contents there, then executing dir command on drive C will give you directory listing for drive D). So effectively you can route the traffic on drive C to drive D. This is exactly what the simulation program exploits. Simulation: The description of simulation assumes that you have unzipped the files from the demo in a directory called C:\FOO and your Windows NT System directory is C:\WINNT\SYSTEM32. The simulation works on latest service packs of all Windows NT versions (3.51, 4.0, 5.0) When you execute BESYSADM.EXE. The program follows the following steps. * Create an indentical directory structure of Windows system directory under the directory C:\FOO. i.e it will create a directory structure such as C:\FOO\WINNT\SYSTEM32 * Copy all the POSIX subsystem binaries and required DLLs (except PSXSS.EXE) from C:\WINNT\SYSTEM32 directory to C:\FOO\WINNT\SYSTEM32 * Copy the trojaned version of PSXSS.EXE and a dummy posix application DUMMYAPP.EXE from C:\FOO to C:\FOO\WINNT\SYSTEM32 * Get the contents of the symbolic link \??\C: and append \FOO to it. i.e if the contents of symbolic link \??\C: is \Device\HardDisk0\Partition1 then new name formed will be \Device\HardDisk0\Partition1\FOO * Create a symbolic link \??\c: (note small c) with the contents as \Device\HardDisk0\Partition1\FOO * Hence effectively executing a dir command on drive C will now give directory listing of C:\FOO * Next the program starts a posix application DUMMYAPP.EXE as "POSIX /c DUMMYAPP.EXE" * This results in SMSS.EXE starting POSIX subsystem which effectively loads trojaned version of PSXSS.EXE. * This trojaned version inherits security context of SMSS.EXE and hence our PSXSS.EXE runs in root privilege. * This trojaned version adds the logged in user to the local administrator group. T * The name of the logged in user is passed through a file called u.ini that is created in C:\FOO\WINNT directory. Comments The program actually uses \DosDevices everywhere instead of \??, since Windows NT 3.51 does not have \?? object directoy and has DosDevices object directory. Starting from Windows NT 4.0, \DosDevices is actually a symbolic link which points to \??. Hence using DosDevices allows the program to run on all Windows NT versions. Instructions for Demo * Fresh boot the machine. * Login as any ordinary user (guest will also do) * Unzip the files in attached .ZIP file in some directory on any local hard drive on your machine * Run BESYSADM.EXE Note: If you are using Non-English version of Windows NT OR name of the local administrator group is renamed, then specify the name of the local administrator group as a command line to BESYSADM.EXE. If no arguments are specified the program assumes that you are runnning on English version and the name of the local administrator group is "Administrators". Download Demo for Case Sensitivity vulnerability [Blueline.jpg (398 bytes)] Copyright© 1999, Cybermedia Software Private Limited. All trademarks are property of their respective holders.