A newly discovered security hole in the Windows NT operating system exposes crucial system files to any low-level user. But network administrators may still be able to sleep at night, one expert said, because the hole is so difficult to exploit.
The security risk was reported Thursday night by DilDog, a member of the Boston, Massachusetts-based l0pht security group.
Russ Cooper, moderator of the NT BugTraq mailing list, said the discovery was still significant because the bug exposes an organization to attacks from within.
"[The bug's] complexity and the fact that you have to be on the system minimizes the threat," Cooper said. "What is really of the most importance is that DilDog tells us of a way that our machines may have been compromised in the past."
Several months ago, DilDog discovered that a memory-conserving feature in NT opens up a hole through which any user with access can make changes to certain system commands. The caveat is that the hack can only be executed on a machine on the network running NT server or workstation. The attacker must be physically seated at the machine or have remote-administrator capabilities.
When Windows NT starts up, the system loads a series of dynamic link libraries, or DLLs. These software-code libraries perform various functions, such as printing.
The operating system then loads a map, or index, to where the code resides. When the system needs to perform a function, it consults the map, then calls up the code to perform that function. This allows NT to run faster.
DilDog discovered that this map could be accessed by any user on the system. By writing a complex set of commands in C code, a hacker could enter the map and alter the location that the index points to. For example, when the system tries to print, a malicious user could change the print command on the map to run the program or application of his or her choice.
DilDog posted both his source code, which allows access to the map, and the fix he wrote on the l0pht site. The hack is 300 to 400 lines of C code, he said.
DilDog said that many programmers may not even know of the hole because Microsoft never included that information in the documentation it provides for NT. But, he said, there are hackers who could pull off entrance into the system, and the problems they could cause could be severe.
Microsoft could not be reached for comment.
