Bugtraq mailing list archives

Warning: LSASS.EXE problems

From: aleph1 () DFW NET (Aleph One)
Date: Tue, 8 Sep 1998 11:39:33 -0500

---------- Forwarded message ----------
Date: Mon, 7 Sep 1998 16:07:00 +0100
From: Mnemonix <mnemonix () globalnet co uk>
To: ntsecurity () iss net
Subject: [NTSEC] Warning: LSASS.EXE problems

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo () iss net
Contact ntsecurity-owner () iss net for help with any problems!
---------------------------------------------------------------------------

LSASS.EXE demonstrates a number of problems that can be exploited through a
null session causing a Denial of Service attack.

The LSA can only handle 2048 open SAMR pipes. What's more garbage can be
written to the pipe that causes lsass.exe to begin eating all available
memory.
An attacker could open 2048 SAMR pipes and then fill the last with garbage.
The consequences of this means that no-one can log on and the server, as
memory becomes scarce begins to droop and slow with the LSA eventually not
being able to keep track of open resources (see "In Use" from server
manager) and processor usage raises c.65% from base level.

This affects NT Server 4, NT Workstation 4 upto sp3.

To demonstrate this problem I have created an executable called ubend.exe
(pun on pipes and abend [cheers Sam Thornton of Diligence]).
This is available for download from
http://www.globalnet.co.uk/~mnemonix/ubend.zip

l8r

Mnemonix

Current thread:

Re: Reading read-protected devices in *BSD Chris Wilson (Sep 07)
- Re: your mail Matt Watson (Sep 07)
- wwwthreads discussion forum security holes Ken Williams (Sep 08)
- Warning: LSASS.EXE problems Aleph One (Sep 08)