-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
AA-98.03                        AUSCERT Advisory

           Privilege Elevation vulnerability on Microsoft Windows NT
                                05 August 1998

Last Revised: --
- ---------------------------------------------------------------------------

AusCERT has received information that a Privilege Elevation vulnerability
exists in various versions of Microsoft Windows NT.

This vulnerability may allow local users to gain administrative privileges.

Exploit information involving this vulnerability has been made publicly
available.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    AusCERT has received information that a Privilege Elevation
    vulnerability exists in various versions of Microsoft Windows NT.

    This vulnerability if exploited may allow a non-administrative user
    to gain local administrative access to the system.  To exploit this
    vulnerability the attacker requires a valid local account and the
    ability to run arbitrary code on the system. Note that while to login
    in to the system normally requires console access it may also be
    possible if third party remote login software has been installed.
    Once administrator privileges are gained this may be leveraged to gain
    unauthorised access to other machines on the network.

    Exploit information involving this vulnerability has been made publicly
    available and, under certain circumstances, it may be used by intruders
    to run arbitrary code in the system security context and thereby grant
    administrative privileges for themselves.

2.  Impact

    This vulnerability may allow local users to gain administrative
    privileges.

3.  Workarounds/Solution

    Microsoft has released a Security Bulletin (MS98-009) describing this
    vulnerability. This bulletin lists all versions of Microsoft Windows
    NT which are known to be affected and includes patch/workaround
    information.  It is available from:

	    http://www.microsoft.com/security/bulletins/ms98-009.htm

    AUSCERT encourages sites using Windows NT to refer to the Microsoft
    suggested workaround and patches to prevent this vulnerability from
    being exploited.  For more information regarding this problem contact
    Microsoft.

- ----------------------------------------------------------------------------
AUSCERT thanks Russ Cooper of NTBugtraq for his assistance in this matter.
- ----------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AUSCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au 
Facsimile:      (07) 3365 7031 
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call after
		hours for emergencies.

Postal:  Australian Computer Emergency Response Team 
Prentice Centre
The University of Queensland
Brisbane 
Qld.  4072.  
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNdCAiih9+71yA2DNAQE8XQP9EAG7gTjCxTvDCfon56e4rA4ehojL9iWo
ic9NxV6dwJGK13h5h36ihL53fSPDB7VCLDOMTK51BCVFNTeYrED7ONO3K5sC5gxt
Reu12l0pIaJBWJerW7HSCr7771w7qG/DNYN3t7tU0WjmHn89P4CPV6d0THmZEZQm
yVnaQLuoKKQ=
=2m/3
-----END PGP SIGNATURE-----