Before reading below, note that this is only possbile with write access to the winnt/system32 directory. As many have told me already today that if that dir is open to read access there are many more problems... I have found that in many corporate/school/etc. networks which run WinNT, leave the system32 directory open. Maybe the issue really isn't what I have presented, however I thought this particular vulnerability was fixed after SP4. Now apparantly instead of allowing anyone access to the system, it trashes it. The program NT4ALL has been available for a few years... I'm only bringing this to light, because I think it could pose as a threat to many networks which run NT. If anyone disagrees then just disregard. The attached advisory can also be found at: http://hypoclear.cjb.net/hypo_nt_dos.txt --- [[:hypoclear security advisory:]] Vendor : Microsoft | http://www.microsoft.com Product : Windows NT SP6a (and lower?) Category : Local DoS Date : 08-03-01 CONTENTS 1. Overview 2. Details 3. Exploit 4. Possible Solution 5. Vendor Response 6. Credits 7. Contact 8. Disclaimer 1. Overview: WindowsNT SP6a is subject to a local Denial of Service (DoS) attack, upon running "NT4ALL". This particular vulnerability has the potential to permanently damage the workstation/server, because no users are able to "log on" to the computer after NT4ALL is run. 2. Details: NT4ALL is a program written by 9 (nine1001at_private) and was originaly an exploit against WindowsNT SP4. It's goal is to "Let all the users logon into the NT machine with any password they type from the local NT machine or from other computers in the same domain." It has been available publically for a few years. When running NT4ALL the user (with write access to /winnt/system32) can either put the computer, into NT4ALL's "SPECIAL" or "NORMAL" mode. Putting a WindowsNT machine running SP6a into SPECIAL mode and rebooting, causes the machine to not allow anyone (including Adminisrators) access to the computer. No login's are allowed because the NT system service "lsass.exe" crashes everytime the machine is rebooted and the login window pops-up. After attempting to repair the computer with the WindowsNT cd-rom the machine would allow logins, however the machine ran EXTREMELY slow. All available CPU ticks were being consumed by "SERVICES.EXE" and "lsass.exe". NOTE: ***If testing this vulnerability it is highly recommended that you backup all your data or test on an unused machine. In all my tests after running NT4ALL the computer will be virtually useless!*** This vulnerability has the potential to be very harmful, because NT4ALL can run quite invisibly, and if the payload is attached to a self-replicating email (like many macro virus's), it could render a mass of workstations useless. Here are links to download NT4ALL from Packet Storm Security: Newer version of NT4ALL: http://packetstormsecurity.org/NT/hack/nt4all-101. zip Original version of NT4ALL: http://packetstormsecurity.org/NT/hack/nt4all.zip (All tests were done with the original version of NT4ALL) 3. Exploit Run NT4ALL once (should put the machine in SPECIAL mode). Note: You can run NT4ALL with the /t option to verify that SPECIAL mode is on. Reboot. The computer will no longer allow ANYONE (including administrators) to log in. The problem does not seem to be reversed no matter how many reboots are attempted. If attempting to repair the OS with the Windows NT cdrom, the computer will allow for logins, but run VERY slow. (All CPU ticks are taken by SERVICES.EXE and lsass.exe). 4. Possible Solution Disable write access to the winnt/system32/ directory for all users except the Adminsitrator, until a vendor solution is provided. 5. Vendor Response 07-19-01: Problem sent to the Microsoft Security Response Center (MSRC), securityat_private They respond to the problem within a few hours. 07-23-01: After a few days of communication with MSRC they suggest I sent the problem to Microsoft Product Support Services (MPSS) because it is more of a stability issue. I sent the issue to MPSS via the URL http://support.microsoft.com/directory/feedback/en try.asp, as suggested by MSRC. 07-30-01: After no response from MPSS I resend the problem and state that I planed to release an advisory on the problem within the next few days. 08-03-01: No response has been recieved from MPSS, so this advisory is being released. An attempt has also been made to contact 9 about the NT4ALL program, after my original discovery, but he (she?) did not respond. 6. Credits Actual credit here goes to 9, because he (she?) wrote the NT4ALL program. All I did was be stupid enough to run it and screw up one of my systems ;-) 7. Contact Advisory written by hypoclear. email : hypoclearat_private home page : http://hypoclear.cjb.net 8. Disclaimer This advisory remains the property of hypoclear. This advisory can be freely distributed in any form. If this advisory is distributed it must remain in its entirety. Hypoclear is not responsible of any use/misuse of this advisory. This and all of hypoclear's releases fall under his disclaimer, which can be found at: http://hypoclear.cjb.net/hypodisclaim.txt
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 14:57:06 PDT