Re: Windows NT LSA Remote Denial of Service

[jpr5 () BOS BINDVIEW COM (Jordan Ritter)]

On Thu, 16 Dec 1999, NAI Labs wrote:

# This new vulnerability affects all Windows NT 4.0 hosts including
# those with Service packs up to and including SP6a.

[...]

# causing the LSA process to reference invalid memory resulting in an
# application error.

I wouldn't really call this a "new" vulnerability at all.  BindView's
advisory on a previously discovered remote vulnerability in the LSA
(Phantom), released 6 months ago:

http://www.bindview.com/security/advisory/phantom_a.html

is essentially the same thing -- NAI just uses a different syscall.

I suspect that there are more than just a few vulnerabilities of this
nature still lurking in the LSA, nay, in the NT API.  It would be
interesting to see someone write a sort of LSA or Win32 API "fuzz".  It
would probably turn up a surprising number of problems, although maybe not
so surprising to some of us..

# http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16799

The readership should note that while these above urls reference patches
for the Syskey weak encryption vulnerability, resulting from a recently
released BindView advisory
(http://www.bindview.com/security/advisory/adv_WinNT_syskey.html), the
patch itself already included fixes for this particular DoS.  This is
mentioned in the Security Bulletin, I believe.

Jordan Ritter
RAZOR Security
BindView Corporation