Microsoft Security Bulletin MS01-008 - Critical

Malformed NTLMSSP Request Can Enable Code to Run with System Privileges

Published: February 07, 2001 | Updated: July 10, 2003

Version: 1.1

Originally posted: February 07, 2001
Updated: July 10, 2003


Who should read this bulletin:
System administrators using Microsoft® Windows NT® 4.0.

Impact of vulnerability:
Local privilege elevation.

Administrators should consider applying the patch to machines that allow unprivileged users to log onto them interactively.

Affected Software:

  • Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Server, Enterprise Edition
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition

General Information

Technical details

Technical description:

The NTLM Security Support Provider (NTLMSSP) service in Windows NT 4.0 is responsible for handling NTLM authentication requests, and runs by default on all Windows NT 4.0 systems. A flaw in the service's implementation could allow a service request from an unprivileged process to cause code to run in the context of the NTLMSSP service, which runs with Local System privileges. This could enable an attacker to programmatically levy a request that would have the effect of running code of her choice with System privileges. Because of the mitigating factors discussed below, workstations and terminal servers be the machines at greatest risk under most conditions.

Mitigating factors:

  • The specific request at issue here can only be levied by a process on the local system.
  • Best practices strongly suggest that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Vulnerability identifier: CAN-2001-0016

Tested Versions:

Microsoft tested Windows NT 4.0 and Windows® 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. If an attacker successfully exploited this vulnerability, she would gain complete control over the machine. This would allow her to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group. In order to exploit this vulnerability, the attacker would need to already have the ability to execute code on the local system. This means the attacker would need the ability to log onto the machine interactively and run code on the system. By default, unprivileged users cannot interactively log onto NT4 Domain Controllers, and these machines would therefore be at less risk from this vulnerability.

What causes the vulnerability?
The NTLM Security Support Provider (NTLMSSP) service (present on every NT 4.0 system) contains a flaw that could enable a local user account to initiate a specially formed request to the NTLMSSP service that would execute arbitrary code with LocalSystem security privileges. Commands executed with LocalSystem privileges are run with privileges equal to or greater than a local administrator account. With these privileges, the specified commands could take any action on the machine, including adding the locally logged-on user to the local administrators group.

What is NTLMSSP?
The NTLMSSP service handles authentication requests associated with the NTLM protocol. This service operates as part of the NT4 operating system and is enabled by default.

How could an attacker exploit this vulnerability?
She would first need the ability to interactively logon to the machine with valid user credentials. Once logged in, she would need to be able to copy custom code to the machine, and/or execute this code from a floppy disk or CD-ROM on the local machine. The custom code would need to contain specifically formatted commands to initiate communication with the NTLMSSP service and execute the arbitrary code of her choice.

What could the attacker if she exploited this vulnerability?
An attacker could use this vulnerability to run any code she wanted in the LocalSystem context - that is, as the operating system itself. This would allow her to take any desired action on the machine.

Could this vulnerability be executed remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.

Is this vulnerability present in Windows 2000? What about Windows NT 4.0 systems that were updgraded to Windows 2000?
The NTLMSSP service in Windows 2000 is not vulnerable to this flaw. Systems that were upgraded from NT 4.0 to Windows 2000 are also not susceptible to this flaw.

What does the patch do?
The patch causes the requests at issue here to be correctly treated as invalid.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows NT 4.0 Workstation, Server, or Server, Enterprise Edition Service Pack 6a or Windows NT 4.0 Server, Terminal Server Edition, Service Pack 6.

Inclusion in future service packs:

The fix for this issue will be included in Windows NT 4.0 Service Pack 7.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q280119.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q280119.




Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:


  • Microsoft Knowledge Base article Q280119 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.


The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (February 07, 2001): Bulletin Created.
  • V1.1 (July 10, 2003): Corrected links to Windows Update in Additional Information.

Built at 2014-04-18T13:49:36Z-07:00