CVE-1999-0376

Vulnerability

In all versions of Microsoft Windows NT, the KnownDLLs list, which maps core operating system DLLs to their locations in virtual memory, is writable by default. This allows any local user to modify the list to point to a malicious DLL. When a program calls a function from a known DLL, the system loads the attacker-specified DLL instead of the legitimate one. The vulnerability is present in all Windows NT versions, as described in Microsoft Security Bulletin MS99-006 [1].

Exploitation

An attacker must have the ability to interactively log on to the target Windows NT system. No additional privileges are required. The attacker can programmatically modify the KnownDLLs list to reference a malicious DLL that they have placed on the system. When a privileged process (e.g., a service or an administrator-run application) subsequently loads a known DLL, the malicious DLL is executed in the security context of that process, thereby elevating the attacker's privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with administrative privileges. This results in a complete compromise of the affected system, including the ability to install programs, view, change, or delete data, and create new accounts with full rights. The impact is limited to systems where non-administrative users can log on interactively, such as workstations and terminal servers [1].

Mitigation

Microsoft released a hot fix that changes the default access control settings on the KnownDLLs object to prevent modification by non-administrative users. The hot fix is available for download from the Microsoft FTP site. Microsoft recommends that customers who previously applied a registry-based workaround revert to the original settings and apply the hot fix instead. No other workarounds are documented in the available reference [1].