[13005] in bugtraq
Re: Windows NT LSA Remote Denial of Service
daemon@ATHENA.MIT.EDU (Jordan Ritter)
Fri Dec 17 12:01:31 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9912162007300.96101-100000@mail.us.netect.com>
Date: Thu, 16 Dec 1999 20:28:06 -0500
Reply-To: Jordan Ritter <jpr5@BOS.BINDVIEW.COM>
From: Jordan Ritter <jpr5@BOS.BINDVIEW.COM>
X-To: NAI Labs <seclabs@nai.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <000901bf4822$263cccf0$4d2f45a1@jmagdych.na.nai.com>
On Thu, 16 Dec 1999, NAI Labs wrote:
# This new vulnerability affects all Windows NT 4.0 hosts including
# those with Service packs up to and including SP6a.
[...]
# causing the LSA process to reference invalid memory resulting in an
# application error.
I wouldn't really call this a "new" vulnerability at all. BindView's
advisory on a previously discovered remote vulnerability in the LSA
(Phantom), released 6 months ago:
http://www.bindview.com/security/advisory/phantom_a.html
is essentially the same thing -- NAI just uses a different syscall.
I suspect that there are more than just a few vulnerabilities of this
nature still lurking in the LSA, nay, in the NT API. It would be
interesting to see someone write a sort of LSA or Win32 API "fuzz". It
would probably turn up a surprising number of problems, although maybe not
so surprising to some of us..
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16799
The readership should note that while these above urls reference patches
for the Syskey weak encryption vulnerability, resulting from a recently
released BindView advisory
(http://www.bindview.com/security/advisory/adv_WinNT_syskey.html), the
patch itself already included fixes for this particular DoS. This is
mentioned in the Security Bulletin, I believe.
Jordan Ritter
RAZOR Security
BindView Corporation
