Vulnerability In LSA on Windows NT SP5

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

----- Forwarded message from "Galipeau, William" <William.Galipeau () FMR COM> -----

Date:         Thu, 12 Aug 1999 17:28:48 -0400
From: "Galipeau, William" <William.Galipeau () FMR COM>
Subject:      FW: Vulnerability In LSA on Windows NT SP5
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM

I inadvertently sent this to the wrong address.  My apologies.

-----Original Message-----
From: Galipeau, William
Sent: Thursday, August 12, 1999 10:15 AM
To: russ.cooper () rc on ca
Subject: Vulnerablity In LSA on Windows NT SP5

Russ,
A few months ago I found a vulnerability in NT 4.0 configured with SP5.
I downloaded a trial copy of Network Associates Cyber Cop version 5.0.
I ran a scan using all the Denial of Service based attack options.  All
failed but one: the "Windows NT- LSASS.EXE Denial of Service attack."
When you run a scan on a NT 4.0 machine configured with SP5 (with or
without the LSA3 hot fix) utilizing this option, the target machine will
lock, not allowing users to authenticate to the server remotely or
locally.  The only way to correct the problem is to physically reboot
the server.  Also, to make matters worse, the audit logs on the target
server do not illustrate where the attacks were launched from.  Because
Cyber Cop allows you to run this scan on any IP or any host of IPs, an
intruder could attack a large base of servers in a relatively short
amount of time without leaving a reliable audit trail.
I reported this issue to Microsoft on 6/23/99 (I have an incident
number).  I have been following up with Microsoft, but they have been
reluctant to provide much detail on the issue.  Hopefully you can help
motivate them.
Thanks

----- End forwarded message -----