Microsoft has posted a fix for a "KnownDLLs List" vulnerability that could allow a user to gain administrative privileges on the computer the user is currently logged onto. As explained by Microsoft, Windows NT's core operating system files (DLLs) are kept in virtual memory and shared between programs running on the system. This is done to avoid having redundant copies of the DLLs in memory, and improves memory usage and system performance. When a program calls a function in one of these DLLs, the operating system references a data structure called the KnownDLLs list to determine the location of the DLL in virtual memory. The Windows NT security architecture protects in-memory DLLs against modification, but by default it allows all users to read from and write to the KnownDLLs list. And this is where the vulnerability comes into play.
If a loads a malicious DLL into memory that has the same name as a valid system DLL, the entry in the KnownDLLs list can be changed to point to the malicious copy. Then, it could take any programmable action, such as adding the malicious user to the Local Administrators group, thus compromising security on the system.
Microsoft points out that this vulnerability can only occur if the malicious user can interactively log onto the system. It affects Microsoft Windows NT 3.5, 3.51, and 4.0, Standard and Enterprise Editions. Microsoft has published a Knowledge Base (KB) article (Q218473) on this issue called Restricting Changes to Base System Objects. The article discusses a Registry change that can be enabled to protect a system against this vulnerability