Re: [PEN-TEST] Cybercop

From: Nelson Brito (nelsonat_private)
Date: Tue Apr 10 2001 - 11:34:34 PDT

  • Next message: Alfredo Andrés Omella: "[PEN-TEST] SING"

    Avi Drabkin wrote:
    >
    > Has anyone experienced Cybercop crashing the LSASS.EXE service on NT 4.0
    > SP6a?
    >
    > When we were running Cybercop to test for vulnerabilities it inadvertently
    > crashed every servers LSASS.EXE service rendering the machine unable to
    > perform any authentication as well as the inability to even shut it down.
    >
    > Just wondering if anyone has experienced this sort of problem??
    
    Take a look at CyberCop's Module Configuration Dialog:
    Module Groups    -> ID: 8000 / Name: Denial of Service Attacks
    Module Selection -> ID: 8034 / Name: Windows NT - LSASS.EXE Denial of Service
    
    <QUOTE>
    8034 Windows NT - LSASS.EXE Denial of Service
    
    Risk Factor: High
    Complexity: Medium
    Fixease: Moderate
    Popularity: Widespread
    Rootcause: Implementation
    Impact: Availability
    
    Verbose Description:
    A vulnerability within the LSASS.EXE process on Windows NT systems
    allows for a denial of service attack, which causes an Access Violation
    in LSASS.EXE.  This denial of service causes the LSASS.EXE process to
    stop running, preventing logons from the console, as well as preventing
    Event Viewer and Server Manager from operating.
    
    
    Security Concerns:
    Malicious users can launch this denial of service attack against your
    Microsoft Windows NT system.
    Warning:
    If this vulnerability was found on the target host, this means that
    the CyberCop Scanner Security Auditing System successfully performed this
    denial of service attack.  Please reboot the target server immediately
    for it to function properly.
    
    
    Suggestion:
    This issue has been resolved in Service Pack 6a.  The Service Pack can be
    downloaded from:
    http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/
    
    
    References:
    The following Microsoft Knowledge Base articles provide more detailed
    information on this vulnerability:
    Q154087 - Access Violation in LSASS.EXE Due to Incorrect Buffer Size
     http://support.microsoft.com/support/kb/articles/Q154/0/87.ASP
    Q228467 - Access Violation in Lsass.exe When Passing a Null Pointer
     http://support.microsoft.com/support/kb/articles/Q228/4/67.ASP
    
    </QUOTE>
    
    Hope this help.
    
    > Thanks
    
    Sem mais,
    --
    # Nelson Brito <nelsonat_private>
    # Security Analyst and Penetration Tester
    # Security Networks AG - The trust Company!
    #
    # Usage: cat <file> | perl signature.pl
    foreach(<STDIN>){chop;split(//,$_);print reverse @_;print "\n";}
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:22:16 PDT