----- Forwarded message from "Galipeau, William" <William.Galipeauat_private> ----- Date: Thu, 12 Aug 1999 17:28:48 -0400 From: "Galipeau, William" <William.Galipeauat_private> Subject: FW: Vulnerability In LSA on Windows NT SP5 To: NTBUGTRAQat_private I inadvertently sent this to the wrong address. My apologies. -----Original Message----- From: Galipeau, William Sent: Thursday, August 12, 1999 10:15 AM To: russ.cooperat_private Subject: Vulnerablity In LSA on Windows NT SP5 Russ, A few months ago I found a vulnerability in NT 4.0 configured with SP5. I downloaded a trial copy of Network Associates Cyber Cop version 5.0. I ran a scan using all the Denial of Service based attack options. All failed but one: the "Windows NT- LSASS.EXE Denial of Service attack." When you run a scan on a NT 4.0 machine configured with SP5 (with or without the LSA3 hot fix) utilizing this option, the target machine will lock, not allowing users to authenticate to the server remotely or locally. The only way to correct the problem is to physically reboot the server. Also, to make matters worse, the audit logs on the target server do not illustrate where the attacks were launched from. Because Cyber Cop allows you to run this scan on any IP or any host of IPs, an intruder could attack a large base of servers in a relatively short amount of time without leaving a reliable audit trail. I reported this issue to Microsoft on 6/23/99 (I have an incident number). I have been following up with Microsoft, but they have been reluctant to provide much detail on the issue. Hopefully you can help motivate them. Thanks ----- End forwarded message -----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:54 PDT