% Advisory: phantom % Issue date: June 23, 1999 % Contact: Adam Shostack <A href="mailto: adamat_private">adamat_private</a> % Revision: Initial [Topic] The Windows NT LSA can be crashed by a remote attacker. [Affected Systems] Windows NT 4 (all service packs to date), Windows 2000. The RestrictAnonymous key is not relevant. [Overview] The problem pointed out in this advisory affects systems running Windows NT by crashing the Local Security Authority, rendering the target machine unusable after some period of time. The problem stems from a failure to to verify the input to LsaLookupNames. It is made worse by the fact that it can be anonymously exploited. The RestrictAnonymous (1) registry key does not prevent this problem from being exploited. [Impact] The LSA is the system component responsible for authenticating users to the system, and deciding what access and privilege the users are entitled to. The same process that contains the LSA also contains the SAM (Security Accounts Manager), as well as elements of the RPC subsystem, particularly those responsible for launching DCOM servers. Those components will also be unavailable as a result of the crash. Once the LSA has died, new authentication tokens can no longer be created. Anything that requires creating new authentication tokens will no longer function. Examples include: o Connecting to the hosts network shares. o Attempting to logon to the machine. o Trying to run User Manager, Event Viewer, or Server Manager against the machine. o If the host is a PDC, users will be unable to change their passwords. o If the host is running IIS, SQL Server, or other RPC services with NT integrated security, those services will not function properly. o Tools which display account names, e.g., ACL editors, will display all accounts as 'Account Unknown'. o The user will not be able to shutdown the machine by clicking [Start]->Shutdown. They will be told that they do not have permission, even if they actually do. Pressing Ctrl-Alt-Del and selecting Shutdown on that dialog does work. Some functions will continue to work: o Users who are already connected to the host's shares will continue to be able to access files, until they disconnect. o Services can be started, provided that they are configured to run in the SYSTEM account. o Many user applications will function normally. Under certain conditions, the adverse effects may not happen immediately. If the host's exception system is not configured to work automatically, then a dialog box will be displayed on the host, and the system will work normally until the dialog is dismissed. This configuration is normally only found on developer's machines. The registry key that controls this behavior is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug, value "Auto". Changing this value from the default of "1" to "0" will enable this behavior. [Solution] Install the LSA3-fix Hotfix from Microsoft to fix this problem. This fix can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/LSA3-fix/ In addition, Bindview suggests the use of a firewall to prevent any connections to NetBIOS ports from untrustworthy sources. [Notes] 1. As documented in MS Knowledgebase article Q143474, setting: Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: System\CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_DWORD Value: 1 Can restrict many of the anonymous (null) SMB connections. We strongly suggest using it. 2. This issue is also referenced in MS99-20
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:39 PDT