DOCUMENT:Q146965

TITLE   :GetAdmin Utility Grants Users Administrative Rights

PRODUCT :Microsoft Windows NT

PROD/VER:4.0

OPER/SYS:WINDOWS

KEYWORDS:kbbug4.00 kbfile kbfix4.00 kbnetwork nt32ap ntsecurity NTSrvWkst



--------------------------------------------------------------------------

The information in this article applies to:



 - Microsoft Windows NT Workstation version 4.0

 - Microsoft Windows NT Server version 4.0

--------------------------------------------------------------------------



SYMPTOMS

========



A utility, Getadmin.exe, is being circulated on the Internet that grants

normal users administrative rights by adding them to the Administrators

group. This utility can be run from any user context except Guest and

grants a local user account administrative rights.



This problem does not occur on Windows NT 3.51.



CAUSE

=====



Getadmin.exe works because of a problem in a low-level kernel routine that

causes a global flag to be set which allows calls to NtOpenProcessToken to

succeed regardless of the current users permissions. This in turn allows a

user to attach to any process running on the system, including a process

running in the system's security context, such as WinLogon. Once attached

to such a process, a thread can be started in the security context of the

process.



In the specific case of GetAdmin, it attaches to the WinLogon process,

which is running in the system's security context, and makes standard API

calls that add the specified user to the administrators group.



It is important to note that any account which has been granted the rights

to "Debug Programs" will always be able to run Getadmin.exe successfully,

even after the application of the hotfix. This is because the "Debug

Programs" right allows a user to attach to any process. The "Debug

Programs" right is initially granted to Administrators and should be only

granted to fully trusted users.



Also, if Getadmin.exe is run with an account that is already a member of

the administrators local group, it will still work (even after applying the

hotfix). This is by design. Members of the administrators group always have

the rights to make the calls GetAdmin needs in order to succeed.



RESOLUTION

==========



A fix to the Windows NT Kernel routine which was being used to set the

global flag has been developed by Microsoft. This fix prevents an

application, such as Getadmin.exe, from attaching to WinLogon (or any other

process not owned by the user) and from granting administrative rights to

users.



To resolve this problem, obtain the hotfix below, or wait for the next

service pack.



This hotfix has been posted to the following Internet location:



   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/

   hotfixes-postSP3/getadmin-fix



STATUS

======



Microsoft has confirmed this to be a problem in Windows NT version 4.0.

A supported fix is now available, but has not been fully regression-tested

and should be applied only to systems experiencing this specific problem.

Unless you are severely impacted by this specific problem, Microsoft

recommends that you wait for the next Service Pack that contains this fix.

Contact Microsoft Technical Support for more information.



MORE INFORMATION

================



Getadmin.exe must be executed locally and works for accounts on a

workstation or member server and for domain accounts on a primary domain

controller (PDC). The utility does not function on a backup domain

controller (BDC) because the account database on a BDC is read only. The

only way to use GetAdmin to modify a domain account database is to log on

to a primary domain controller and run the utility locally on the PDC.



For more information on Windows NT security, please see the following

Internet sites:



 - http://www.microsoft.com/security/

 - http://www.microsoft.com/ntserver/info/security.htm



NOTE: Because the Microsoft Web site is constantly updated, the site

address may change without notice. If this occurs, link to the Microsoft

home page at the following address:



   http://www.microsoft.com/



Additional query words: 4.00 prodnt security hole breach



============================================================================



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS

ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO

EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR

ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES

SO THE FOREGOING LIMITATION MAY NOT APPLY.