[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Phantom (NT LSA DOS)
From:       Adam Shostack <adam () netect ! com>
Date:       1999-06-23 12:26:58
[Download RAW message or body]

% Advisory: phantom
% Issue date: June 23, 1999
% Contact: Adam Shostack <A href="mailto: adam@bindview.com">adam@bindview.com</a>
% Revision: Initial


[Topic]

	 The Windows NT LSA can be crashed by a remote attacker.

[Affected Systems]

	Windows NT 4 (all service packs to date), Windows 2000.  The
RestrictAnonymous key is not relevant.

[Overview]

	The problem pointed out in this advisory affects systems
running Windows NT by crashing the Local Security Authority, rendering
the target machine unusable after some period of time.

	The problem stems from a failure to to verify the input to
LsaLookupNames.  It is made worse by the fact that it can be
anonymously exploited.  The RestrictAnonymous (1) registry
key does not prevent this problem from being exploited.


[Impact]

	The LSA is the system component responsible for authenticating
users to the system, and deciding what access and privilege the users
are entitled to.  The same process that contains the LSA also contains
the SAM (Security Accounts Manager), as well as elements of the RPC
subsystem, particularly those responsible for launching DCOM servers.
Those components will also be unavailable as a result of the crash.

Once the LSA has died, new authentication tokens can no longer be
created.  Anything that requires creating new authentication tokens
will no longer function.  Examples include:

 o Connecting to the hosts network shares.

 o Attempting to logon to the machine.

 o Trying to run User Manager, Event Viewer, or Server Manager against
  the machine.

 o If the host is a PDC, users will be unable to change their passwords.

 o If the host is running IIS, SQL Server, or other RPC services with
  NT integrated security, those services will not function properly.

 o Tools which display account names, e.g., ACL editors, will display
  all accounts as 'Account Unknown'.

 o The user will not be able to shutdown the machine by clicking
  [Start]->Shutdown.  They will be told that they do not have
  permission, even if they actually do.  Pressing Ctrl-Alt-Del and
  selecting Shutdown on that dialog does work.

Some functions will continue to work:

 o Users who are already connected to the host's shares will continue
  to be able to access files, until they disconnect.

 o Services can be started, provided that they are configured to run
  in the SYSTEM account.

 o Many user applications will function normally.

Under certain conditions, the adverse effects may not happen
immediately.  If the host's exception system is not configured to work
automatically, then a dialog box will be displayed on the host, and
the system will work normally until the dialog is dismissed.  This
configuration is normally only found on developer's machines.  The
registry key that controls this behavior is
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug, value
"Auto".  Changing this value from the default of "1" to "0" will
enable this behavior.

[Solution]

	Install the LSA3-fix Hotfix from Microsoft to fix this
problem.  This fix can be downloaded from
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/LSA3-fix/

	In addition, Bindview suggests the use of a firewall to
prevent any connections to NetBIOS ports from untrustworthy sources.

[Notes]

1. As documented in MS Knowledgebase article Q143474, setting:

 Hive: HKEY_LOCAL_MACHINE\SYSTEM
 Key: System\CurrentControlSet\Control\LSA
 Name: RestrictAnonymous
 Type: REG_DWORD
 Value: 1

Can restrict many of the anonymous (null) SMB connections.  We
strongly suggest using it.

2. This issue is also referenced in MS99-20

[prev in list] [next in list] [prev in thread] [next in thread]