[22114] in bugtraq
REPOST: A damaging local DoS in WinNT SP6a
daemon@ATHENA.MIT.EDU (hypoclear)
Fri Aug 3 17:58:09 2001
Date: 3 Aug 2001 18:29:20 -0000
Message-ID: <20010803182920.2344.qmail@securityfocus.com>
From: hypoclear <hypoclear@jungle.net>
To: bugtraq@securityfocus.com
Before reading below, note that this is only
possbile with write access to the winnt/system32
directory. As many have told me already today
that if that dir is open to read access there are
many more problems... I have found that in many
corporate/school/etc. networks which run WinNT,
leave the system32 directory open. Maybe the
issue really isn't what I have presented, however
I thought this particular vulnerability was fixed
after SP4. Now apparantly instead of allowing
anyone access to the system, it trashes it. The
program NT4ALL has been available for a few
years...
I'm only bringing this to light, because I think
it could pose as a threat to many networks which
run NT. If anyone disagrees then just disregard.
The attached advisory can also be found at:
http://hypoclear.cjb.net/hypo_nt_dos.txt
---
[[:hypoclear security advisory:]]
Vendor : Microsoft | http://www.microsoft.com
Product : Windows NT SP6a (and lower?)
Category : Local DoS
Date : 08-03-01
CONTENTS
1. Overview
2. Details
3. Exploit
4. Possible Solution
5. Vendor Response
6. Credits
7. Contact
8. Disclaimer
1. Overview:
WindowsNT SP6a is subject to a local Denial of
Service (DoS) attack, upon running "NT4ALL".
This particular vulnerability has the potential to
permanently damage the workstation/server,
because no users are able to "log on" to the
computer after NT4ALL is run.
2. Details:
NT4ALL is a program written by 9
(nine1001@yahoo.com) and was originaly an exploit
against
WindowsNT SP4. It's goal is to "Let all the users
logon into the NT machine with any password
they type from the local NT machine or from other
computers in the same domain." It has been
available publically for a few years.
When running NT4ALL the user (with write access to
/winnt/system32) can either put the computer,
into NT4ALL's "SPECIAL" or "NORMAL" mode. Putting
a WindowsNT machine running SP6a into SPECIAL
mode and rebooting, causes the machine to not
allow anyone (including Adminisrators)
access to the computer.
No login's are allowed because the NT system
service "lsass.exe" crashes everytime the machine
is
rebooted and the login window pops-up.
After attempting to repair the computer with the
WindowsNT cd-rom the machine would allow logins,
however the machine ran EXTREMELY slow. All
available CPU ticks were being consumed by
"SERVICES.EXE" and "lsass.exe".
NOTE: ***If testing this vulnerability it is
highly recommended that you backup all your data
or
test on an unused machine. In all my tests after
running NT4ALL the computer will be virtually
useless!***
This vulnerability has the potential to be very
harmful, because NT4ALL can run quite invisibly,
and if the payload is attached to a
self-replicating email (like many macro virus's),
it could
render a mass of workstations useless.
Here are links to download NT4ALL from Packet
Storm Security:
Newer version of NT4ALL:
http://packetstormsecurity.org/NT/hack/nt4all-101.
zip
Original version of NT4ALL:
http://packetstormsecurity.org/NT/hack/nt4all.zip
(All tests were done with the original version of
NT4ALL)
3. Exploit
Run NT4ALL once (should put the machine in SPECIAL
mode).
Note: You can run NT4ALL with the /t option to
verify that SPECIAL mode is on.
Reboot.
The computer will no longer allow ANYONE
(including administrators) to log in.
The problem does not seem to be reversed no matter
how many reboots are attempted.
If attempting to repair the OS with the Windows NT
cdrom, the computer will allow for
logins, but run VERY slow. (All CPU ticks are
taken by SERVICES.EXE and lsass.exe).
4. Possible Solution
Disable write access to the winnt/system32/
directory for all users except the Adminsitrator,
until a vendor solution is provided.
5. Vendor Response
07-19-01: Problem sent to the Microsoft Security
Response Center (MSRC), security@microsoft.com
They respond to the problem within a few
hours.
07-23-01: After a few days of communication with
MSRC they suggest I sent the problem to Microsoft
Product Support Services (MPSS) because
it is more of a stability issue.
I sent the issue to MPSS via the URL
http://support.microsoft.com/directory/feedback/en
try.asp,
as suggested by MSRC.
07-30-01: After no response from MPSS I resend the
problem and state that I planed to release an
advisory
on the problem within the next few days.
08-03-01: No response has been recieved from MPSS,
so this advisory is being released.
An attempt has also been made to contact 9 about
the NT4ALL program, after my original discovery,
but
he (she?) did not respond.
6. Credits
Actual credit here goes to 9, because he (she?)
wrote the NT4ALL program. All I did was be stupid
enough
to run it and screw up one of my systems ;-)
7. Contact
Advisory written by hypoclear.
email : hypoclear@jungle.net
home page : http://hypoclear.cjb.net
8. Disclaimer
This advisory remains the property of hypoclear.
This advisory can be freely distributed in any
form.
If this advisory is distributed it must remain in
its entirety.
Hypoclear is not responsible of any use/misuse of
this advisory.
This and all of hypoclear's releases fall under
his disclaimer,
which can be found at:
http://hypoclear.cjb.net/hypodisclaim.txt
