Users login

Create an account »


Users login

Home » Hacking News » Local Security Vulnerability in Windows NT and Windows 2000

Local Security Vulnerability in Windows NT and Windows 2000

by Nikola Strahija on April 1st, 2002 Radim "EliCZ" Picha ([email protected]) discovered a vulnerability in Windows NT 4.0 and Windows 2000. He has written an exploit called DebPloit that shows the weakness of a local Windows NT/2000 security and totally compromises entire security subsystem.

DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user
with ANY privileges (even Guest and Restricted user) to execute processes in
the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can
became an administrator and do everything he/she wants.

Principle: Ask the debugging subsystem (smss.exe) to duplicate a handle to
Target (any process running on the local computer):

1. Become dbgss client (DbgUiConnectToDbg).

2. Connect to the DbgSsApiPort Local Procedure Call (LPC) port
(ZwConnectPort). Everyone can access this port.

3. Ask dbgss to handle CreateProcess SsApi with Target's client id

4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT
(WaitForDebugEvent). Message contains a duplicated handle.

5. Impersonate your security context using a duplicated handle.

6. Execute any code (e.g. run an external program) in the security context
of Target.

Download DebPloit with a source code from

To test your system for this vulnerability:

1. Download and unzip it to the directory on your hard drive.

2. Logoff and login again using Guest (or any other non-administrative
account) account.

3. Run ERunAsX.exe from the command line and specify a program you wish to
execute under the SYSTEM account (e.g. "ERunAsX.exe cmd").

4. Your program now runs under the SYSTEM account and you can do everything
(e.g. create new user with an administrative privileges) on the local


To close this hole and protect your computers and network against attacks
from the inside, you can use an unofficial hotfix released by SmartLine,

DebPloitFix is a hotfix that closes the security hole using by the DebPloit
exploit. DebPloitFix is implemented as a kernel mode driver that can be run
dinamically (no need to restart your system). DebPloitFix assigns the new
security descriptor to the DbgSsApiPort LPC port so only the local system
(SYSTEM user) will be able to access this port.

Download DebPloitFix with a source code from

For more information, please visit

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »