VULHUB ™

Windows NT has an undocumented facility called Local Procedure Call (LPC) that allows user programs to communicate with the Windows NT subsystems. Typically, the subsystem runs as a server thread which services requests from client threads. LPC API function called NtImpersonateClientOfPort() allows a server thread to assume the credentials of the client thread which is making a request. Due to insufficient validation of the identity of the calling thread, it is possible to spoof a request and impersonate any unrelated thread as well as the security context of this thread. A local attacker can take advantage of this by creating both the server and client threads and calling this function with spoofed arguments from the server thread. The server thread will then assume the identity and security context of the spoofed thread. Since an attacker can impersonate any running thread, it is possible to assume system privileges from a regular user account.

Windows NT has an undocumented facility called Local Procedure Call (LPC) that allows user programs to communicate with the Windows NT subsystems. Typically, the subsystem runs as a server thread which services requests from client threads. LPC API function called NtImpersonateClientOfPort() allows a server thread to assume the credentials of the client thread which is making a request. Due to insufficient validation of the identity of the calling thread, it is possible to spoof a request and impersonate any unrelated thread as well as the security context of this thread. A local attacker can take advantage of this by creating both the server and client threads and calling this function with spoofed arguments from the server thread. The server thread will then assume the identity and security context of the spoofed thread. Since an attacker can impersonate any running thread, it is possible to assume system privileges from a regular user account.