[20578] in bugtraq
def-2001-24: Windows 2000 Kerberos DoS
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Wed May 9 11:07:11 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00DE_01C0D874.9FDED240"
Message-ID: <00e101c0d863$dc63bde0$68002d0a@cloakndagger>
Date: Wed, 9 May 2001 10:41:37 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_00DE_01C0D874.9FDED240
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Defcom Labs Advisory def-2001-24
Windows 2000 Kerberos DoS
Author: Peter Gr=FCndl <peter.grundl@defcom.com>
Release Date: 2001-05-09
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------------------------=3D[Brief =
Description]=3D-------------------------
The Kerberos service and kerberos password service contain a flaw that
could allow a malicious attacker to cause a Denial of Service on the
Kerberos service and thus making all domain authentication impossible.
------------------------=3D[Affected =
Systems]=3D--------------------------
- Windows 2000 Server
- Windows 2000 Advanced Server
- Windows 2000 Datacenter Server=20
----------------------=3D[Detailed =
Description]=3D------------------------
By creating a connection to the kerberos service and the disconnecting
again, without reading from the socket, the LSA subsystem will leak
memory. After about 4000 connections the kerberos service will stop
accepting connections to tcp ports 88 (kerberos) and 464 (kpasswd) and
all domain authentication will effectively have died (if the target
was a domain controller).=20
It requires a reboot to recover from the attack.
---------------------------=3D[Workaround]=3D----------------------------=
-
Disallow access to TCP ports 88 and 464 from untrusted networks or/and
apply the patch located at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS01-024.asp=20
-------------------------=3D[Vendor =
Response]=3D--------------------------
This issue was brought to the vendor's attention on the 26th of
January, 2001, and the vendor released a patch on the 8th of May.
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------=_NextPart_000_00DE_01C0D874.9FDED240
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial=20
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>=
&=
nbsp; =20
Defcom Labs Advisory def-2001-24</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2> &nbs=
p; =20
Windows 2000 Kerberos DoS</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Author: Peter Gr=FCndl <<A=20
href=3D"mailto:peter.grundl@defcom.com">peter.grundl@defcom.com</A>><B=
R>Release=20
Date:=20
2001-05-09<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
<BR>------------------------=3D[Brief=20
Description]=3D-------------------------<BR>The Kerberos service and =
kerberos=20
password service contain a flaw that<BR>could allow a malicious attacker =
to=20
cause a Denial of Service on the<BR>Kerberos service and thus making all =
domain=20
authentication impossible.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>------------------------=3D[Affected=20
Systems]=3D--------------------------<BR>- Windows 2000 Server<BR>- =
Windows 2000=20
Advanced Server<BR>- Windows 2000 Datacenter Server </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>----------------------=3D[Detailed=20
Description]=3D------------------------<BR>By creating a connection to =
the=20
kerberos service and the disconnecting<BR>again, without reading from =
the=20
socket, the LSA subsystem will leak<BR>memory. After about 4000 =
connections the=20
kerberos service will stop<BR>accepting connections to tcp ports 88 =
(kerberos)=20
and 464 (kpasswd) and<BR>all domain authentication will effectively have =
died=20
(if the target<BR>was a domain controller). </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>It requires a reboot to recover from =
the=20
attack.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>---------------------------=3D[Workaround]=3D-------------------=
----------<BR>Disallow=20
access to TCP ports 88 and 464 from untrusted networks or/and<BR>apply =
the patch=20
located at the following URL:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.microsoft.com/technet/security/bulletin/MS01-024.asp">=
http://www.microsoft.com/technet/security/bulletin/MS01-024.asp</A>=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>-------------------------=3D[Vendor=20
Response]=3D--------------------------<BR>This issue was brought to the =
vendor's=20
attention on the 26th of<BR>January, 2001, and the vendor released a =
patch on=20
the 8th of=20
May.<BR> <BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<BR> =
=20
This release was brought to you by Defcom Labs</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2> &nbs=
p; =20
<A=20
href=3D"mailto:labs@defcom.com">labs@defcom.com</A> &nbs=
p; =20
<A=20
href=3D"http://www.defcom.com">www.defcom.com</A> =
=20
<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>=
</DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR></FONT> </DIV></BODY></HTML>
------=_NextPart_000_00DE_01C0D874.9FDED240--
