Re: [PEN-TEST] Cybercop

From: Nelson Brito (nelsonat_private)
Date: Tue Apr 10 2001 - 11:34:34 PDT

Next message: Alfredo Andrés Omella: "[PEN-TEST] SING"

Previous message: Cjk Jempi: "Re: [PEN-TEST] Web site password guessing over SSL"
In reply to: Avi Drabkin: "[PEN-TEST] Cybercop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Avi Drabkin wrote:
>
> Has anyone experienced Cybercop crashing the LSASS.EXE service on NT 4.0
> SP6a?
>
> When we were running Cybercop to test for vulnerabilities it inadvertently
> crashed every servers LSASS.EXE service rendering the machine unable to
> perform any authentication as well as the inability to even shut it down.
>
> Just wondering if anyone has experienced this sort of problem??

Take a look at CyberCop's Module Configuration Dialog:
Module Groups    -> ID: 8000 / Name: Denial of Service Attacks
Module Selection -> ID: 8034 / Name: Windows NT - LSASS.EXE Denial of Service

<QUOTE>
8034 Windows NT - LSASS.EXE Denial of Service

Risk Factor: High
Complexity: Medium
Fixease: Moderate
Popularity: Widespread
Rootcause: Implementation
Impact: Availability

Verbose Description:
A vulnerability within the LSASS.EXE process on Windows NT systems
allows for a denial of service attack, which causes an Access Violation
in LSASS.EXE.  This denial of service causes the LSASS.EXE process to
stop running, preventing logons from the console, as well as preventing
Event Viewer and Server Manager from operating.

Security Concerns:
Malicious users can launch this denial of service attack against your
Microsoft Windows NT system.
Warning:
If this vulnerability was found on the target host, this means that
the CyberCop Scanner Security Auditing System successfully performed this
denial of service attack.  Please reboot the target server immediately
for it to function properly.

Suggestion:
This issue has been resolved in Service Pack 6a.  The Service Pack can be
downloaded from:
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/

References:
The following Microsoft Knowledge Base articles provide more detailed
information on this vulnerability:
Q154087 - Access Violation in LSASS.EXE Due to Incorrect Buffer Size
 http://support.microsoft.com/support/kb/articles/Q154/0/87.ASP
Q228467 - Access Violation in Lsass.exe When Passing a Null Pointer
 http://support.microsoft.com/support/kb/articles/Q228/4/67.ASP

</QUOTE>

Hope this help.

> Thanks

Sem mais,
--
# Nelson Brito <nelsonat_private>
# Security Analyst and Penetration Tester
# Security Networks AG - The trust Company!
#
# Usage: cat <file> | perl signature.pl
foreach(<STDIN>){chop;split(//,$_);print reverse @_;print "\n";}

Next message: Alfredo Andrés Omella: "[PEN-TEST] SING"
Previous message: Cjk Jempi: "Re: [PEN-TEST] Web site password guessing over SSL"
In reply to: Avi Drabkin: "[PEN-TEST] Cybercop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:22:16 PDT