Windows NT LSA Remote Denial of Service

From: NAI Labs (seclabsat_private)
Date: Thu Dec 16 1999 - 16:03:28 PST

Next message: Qpopper Support: "Re: [lucidat_private: qpop3.0b20 and below - notes and"

Previous message: Tim Hollebeek: "Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")"
Next in thread: Jordan Ritter: "Re: Windows NT LSA Remote Denial of Service"
Reply: Jordan Ritter: "Re: Windows NT LSA Remote Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================

                      Network Associates, Inc.
                        SECURITY ADVISORY
                          December 16, 1999

           Windows NT LSA Remote Denial of Service

======================================================================

SYNOPSIS

An implementation flaw in the Local Security Authority subsystem of
Windows NT, known as the LSA, allows both local or remote attackers
to halt the processing of security information requiring the host to
be restarted.


======================================================================

VULNERABLE HOSTS

This new vulnerability affects all Windows NT 4.0 hosts including
those with Service packs up to and including SP6a.


======================================================================

DETAILS

The Local Security Authority is the center of the Windows NT security
subsystem. The LSA is a user-mode process (LSASS.EXE) used to
maintain
security information of a system known as the Local Security Policy.
The Local Security Policy is stored in the registry and includes such
information as who has permission to access the system, who is
assigned privileges and what security auditing is performed.

The majority of the security subsystem components run within the
context of the LSASS process, including the Security Accounts Manager
(SAM) that is responsible for maintaining the SAM database stored in
the registry. Also the default authentication package (MSV1_0.DLL)
that determines whether username and password match information
stored in the SAM database.

In addition other user-mode processes request services from the LSA
such as the login process (WINLOGON.EXE) to authenticate username and
passwords that are entered when interactive users logon and logoff.
Also, the network logon service (SERVICES.EXE) which responds to
network logon requests also utilizes the LSA to verify
authentication.

Disrupting the Local Security Authority halts almost all user-mode
security authentication requiring a Windows NT host to be restarted.


======================================================================

TECHNICAL DETAILS

Windows NT provides the ability to open and manipulate the LSA
through an series of APIs. To programmatically manage the Local
Security Policy of a local or remote system a session is established
with that system's Local Security Authority. If a session is
successfully established an LSA Policy handle will be returned for
usage in all subsequent API calls.

One specific API LsaLookupSids() utilizes the LSA to map one or more
SIDs of user accounts, group accounts, alias accounts or domains to
names. Invalid arguments passed to this API are incorrectly verified
causing the LSA process to reference invalid memory resulting in an
application error.


======================================================================

RESOLUTION

Microsoft has issued a patch for this vulnerability, which can be
obtained at the following address:

x86:

http://www.microsoft.com/downloads/release.asp?ReleaseID=16798

Alpha:

http://www.microsoft.com/downloads/release.asp?ReleaseID=16799


Microsoft's Security Bulletin for this vulnerability can be found at:

http://www.microsoft.com/security/bulletins/ms99-057.asp


Additional information can be found in Microsoft Knowledge Base
article Q248185, SID Enumeration Function in LSA May Not Handle
Argument Properly:

http://support.microsoft.com/support/kb/articles/q248/1/85.asp


======================================================================

CREDITS

Discovery and documentation of this vulnerability was conducted
by Anthony Osborne of the Security Labs at Network Associates.


======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 30
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws.
This advisory represents our ongoing commitment to provide
critical information to the security community.

For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabsat_private>.


======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hKJAEwEEBECAAwFAjYYZO4FAwHhM4AACgkQ
jSPy91L3fEcagACdHGKGJ9rktuKBgGWvGjeejrHvzI4An1+9KAmhlsBECTtA278H
d9Hn1mzTiQBGBBARAgAGBQI20UOmAAoJEKmLZwfGITE1ZtAAnAjNn6+xxDXWeoY+
zJ2FI6vQ2f2yAJ9/Zc6/Cd5xUf16gMeMZE1nKUhwsYkARgQQEQIABgUCN+6ongAK
CRBg2pZP4rRiFpl6AJ40IEoM0MKXfFW0TgE5YqZvlknSeQCeLWxCvkKfSHFMIZcL
OYtskZZpFDGJAEwEEBECAAwFAjgoUGUFAwHihQAACgkQj43+xXlAzaBmxgCgmHhN
aqYwWU0LGzjX14qqm7c7VjkAnAtpx3mQR4diKHmQYLPuDtXL85BeuQINBDXGgDsQ
CAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0Op
lK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF
RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEH
NmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4z
ISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGf
nHy9iUsiGSa6q6Jew1XpMgs7AAICB/0WXCaEZIQn/TuBK/q3IgTRt0KjN7XpNt6M
RrlcKkcbRpRirn/mGlAyAL2YQEX7bqWWCX//gDPaco47Bezjfw3+aCF14as6w8ks
OO3TQdyNRRu78AFAUX2IBjUT/s739Z5XfhYAF2oNQyELXl2D7aDFCT/GYL2xC2FX
WUtk2qTh1L+6+KzmPlFI5VPhZED6fSgja3mjbseDccE97c15dSqqpJYgvLGMbzAp
CfiTu9UyhqZTvXV7H9zvKdq99/i54Ji7ODu4p61JZgFCqt45giudCe0bGY3ej5Sv
9CcHIxZDmXmK8U4LmcwkeEGJqPJxB6hDEikHItFVH/Sh+JR3+sZhiQBGBBgRAgAG
BQI1xoA7AAoJEKF4LLqP1YESuSwAoKAKixZNdJADLusW937TuPiDSbNeAJ4vtYbo
5WEcWKYTfe3OXIvFrSCzWQ==
=hS6P
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOFl9rqF4LLqP1YESEQLqjACdHBJqVbpcaY/UPGc786YIYUsFOXEAoPU6
vvddKskLOhBL8iPzrwNQmIGM
=9sg6
-----END PGP SIGNATURE-----

Next message: Qpopper Support: "Re: [lucidat_private: qpop3.0b20 and below - notes and"
Previous message: Tim Hollebeek: "Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")"
Next in thread: Jordan Ritter: "Re: Windows NT LSA Remote Denial of Service"
Reply: Jordan Ritter: "Re: Windows NT LSA Remote Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:39 PDT