GetAdmin Utility Grants Users Administrative Rights (146965)
The information in this article applies to:
- Microsoft Windows NT Server 4.0 Terminal Server Edition
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
This article was previously published under Q146965 SYMPTOMS
A utility, Getadmin.exe, is being circulated on the Internet that grants
normal users administrative rights by adding them to the Administrators
group. This utility can be run from any user context except Guest and
grants a local user account administrative rights.
This problem does not occur on Windows NT 3.51.
CAUSE
Getadmin.exe works because of a problem in a low-level kernel routine that
causes a global flag to be set which allows calls to NtOpenProcessToken to
succeed regardless of the current users permissions. This in turn allows a
user to attach to any process running on the system, including a process
running in the system's security context, such as WinLogon. Once attached
to such a process, a thread can be started in the security context of the
process.
In the specific case of GetAdmin, it attaches to the WinLogon process,
which is running in the system's security context, and makes standard API
calls that add the specified user to the administrators group.
It is important to note that any account which has been granted the rights
to "Debug Programs" will always be able to run Getadmin.exe successfully,
even after the application of the hotfix. This is because the "Debug
Programs" right allows a user to attach to any process. The "Debug
Programs" right is initially granted to Administrators and should be only
granted to fully trusted users.
Also, if Getadmin.exe is run with an account that is already a member of
the administrators local group, it will still work (even after applying
the hotfix). This is by design. Members of the administrators group always
have the rights to make the calls GetAdmin needs in order to succeed.
RESOLUTION
A fix to the Windows NT Kernel routine, which was being used to set the
global flag, has been developed by Microsoft. This fix prevents an
application, such as Getadmin.exe, from attaching to WinLogon (or any
other process not owned by the user) and from granting administrative
rights to users.
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
For your convenience, the English version of this post-SP3 hotfix has been
posted to the following Internet location. However, Microsoft recommends
that you install Windows NT 4.0 Service Pack 4 to correct this problem.
STATUS
Microsoft has confirmed this problem could result in some degree of
security vulnerability in Windows NT version 4.0.
This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
Modification Type: | Major | Last Reviewed: | 10/14/2002 |
---|
Keywords: | kbbug kbfile kbnetwork KB146965 |
---|
|