[7907] in bugtraq
Warning: LSASS.EXE problems
daemon@ATHENA.MIT.EDU (Aleph One)
Tue Sep 8 13:00:39 1998
Date: Tue, 8 Sep 1998 11:39:33 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Mon, 7 Sep 1998 16:07:00 +0100
From: Mnemonix <mnemonix@globalnet.co.uk>
To: ntsecurity@iss.net
Subject: [NTSEC] Warning: LSASS.EXE problems
TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
LSASS.EXE demonstrates a number of problems that can be exploited through a
null session causing a Denial of Service attack.
The LSA can only handle 2048 open SAMR pipes. What's more garbage can be
written to the pipe that causes lsass.exe to begin eating all available
memory.
An attacker could open 2048 SAMR pipes and then fill the last with garbage.
The consequences of this means that no-one can log on and the server, as
memory becomes scarce begins to droop and slow with the LSA eventually not
being able to keep track of open resources (see "In Use" from server
manager) and processor usage raises c.65% from base level.
This affects NT Server 4, NT Workstation 4 upto sp3.
To demonstrate this problem I have created an executable called ubend.exe
(pun on pipes and abend [cheers Sam Thornton of Diligence]).
This is available for download from
http://www.globalnet.co.uk/~mnemonix/ubend.zip
l8r
Mnemonix
