---------- Forwarded message ---------- Date: Mon, 7 Sep 1998 16:07:00 +0100 From: Mnemonix <mnemonixat_private> To: ntsecurityat_private Subject: [NTSEC] Warning: LSASS.EXE problems TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomoat_private Contact ntsecurity-ownerat_private for help with any problems! --------------------------------------------------------------------------- LSASS.EXE demonstrates a number of problems that can be exploited through a null session causing a Denial of Service attack. The LSA can only handle 2048 open SAMR pipes. What's more garbage can be written to the pipe that causes lsass.exe to begin eating all available memory. An attacker could open 2048 SAMR pipes and then fill the last with garbage. The consequences of this means that no-one can log on and the server, as memory becomes scarce begins to droop and slow with the LSA eventually not being able to keep track of open resources (see "In Use" from server manager) and processor usage raises c.65% from base level. This affects NT Server 4, NT Workstation 4 upto sp3. To demonstrate this problem I have created an executable called ubend.exe (pun on pipes and abend [cheers Sam Thornton of Diligence]). This is available for download from http://www.globalnet.co.uk/~mnemonix/ubend.zip l8r Mnemonix
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:17 PDT