CVE-2000-0070 in Windows
Summary
by MITRE
NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allows local users to gain privileges, aka "Spoofed LPC Port Request."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/19/2025
The vulnerability described in CVE-2000-0070 represents a critical privilege escalation flaw in Windows NT 4.0 operating systems that exploits the local procedure call mechanism within the Named Pipe Local Procedure Call (LPC) subsystem. This vulnerability specifically targets the NtImpersonateClientOfPort function which is responsible for impersonating client processes when handling local procedure calls between processes in the Windows kernel. The flaw allows local attackers to manipulate the LPC port request mechanism to impersonate privileged processes and execute code with elevated privileges, effectively bypassing the operating system's security model.
The technical implementation of this vulnerability stems from improper validation of client authentication within the LPC port communication framework. When a process attempts to impersonate a client through the NtImpersonateClientOfPort function, the Windows NT kernel fails to adequately verify the legitimacy of the client request, allowing malicious code to forge LPC port requests and assume the identity of privileged processes. This occurs because the kernel does not properly validate the security context of incoming requests or enforce proper access controls during the impersonation process, creating an exploitable gap in the kernel's security architecture.
From an operational perspective, this vulnerability presents a severe threat to Windows NT 4.0 systems as it allows local users to escalate their privileges from standard user level to system level without requiring any special authentication mechanisms. Attackers can leverage this flaw to execute arbitrary code with the highest privileges available within the system, potentially leading to complete system compromise. The impact extends beyond simple privilege escalation as it enables attackers to modify system files, install malware, create new user accounts, and access sensitive data that would normally be protected from standard user access. This vulnerability particularly affects enterprise environments where Windows NT 4.0 servers may still be operational, making them attractive targets for attackers seeking persistent access.
The vulnerability aligns with CWE-264, which addresses permissions, privileges, and access control issues in software systems, specifically focusing on inadequate privilege checking mechanisms. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques under T1068, where adversaries leverage flaws in operating system security to gain elevated privileges. The attack pattern involves the use of local system access to manipulate kernel-level functions and exploit trust relationships between system components. Organizations should implement immediate mitigations including applying Microsoft security patches, disabling unnecessary services, restricting local user access to critical system components, and monitoring for suspicious LPC port activity. System administrators should also consider implementing additional security controls such as mandatory access controls and privilege separation mechanisms to reduce the attack surface and limit potential damage from exploitation attempts.