OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Windows NT LSA Remote Denial of Service

Re: Windows NT LSA Remote Denial of Service

Subject: Re: Windows NT LSA Remote Denial of Service
From: Jordan Ritter (jpr5BOS.BINDVIEW.COM)
Date: Thu Dec 16 1999 - 19:28:06 CST

On Thu, 16 Dec 1999, NAI Labs wrote:

# This new vulnerability affects all Windows NT 4.0 hosts including
# those with Service packs up to and including SP6a.

[...]

# causing the LSA process to reference invalid memory resulting in an
# application error.

I wouldn't really call this a "new" vulnerability at all. BindView's
advisory on a previously discovered remote vulnerability in the LSA
(Phantom), released 6 months ago:

http://www.bindview.com/security/advisory/phantom_a.html

is essentially the same thing -- NAI just uses a different syscall.

I suspect that there are more than just a few vulnerabilities of this
nature still lurking in the LSA, nay, in the NT API. It would be
interesting to see someone write a sort of LSA or Win32 API "fuzz". It
would probably turn up a surprising number of problems, although maybe not
so surprising to some of us..

# http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16799

The readership should note that while these above urls reference patches
for the Syskey weak encryption vulnerability, resulting from a recently
released BindView advisory
(http://www.bindview.com/security/advisory/adv_WinNT_syskey.html), the
patch itself already included fixes for this particular DoS. This is
mentioned in the Security Bulletin, I believe.

Jordan Ritter
RAZOR Security
BindView Corporation

This archive was generated by hypermail 2b27 : Fri Dec 17 1999 - 10:58:40 CST