Windows NT leaks
Two denial-of-service attacks work their way past Service Pack 4
(IDG) -- Our two-part coverage of Windows NT Service Pack 4 (SP4) has been expanded this week because we received late confirmation from Microsoft about two security flaws that are not fixed by the application of SP4. Both are old exploits of notoriously buggy components -- the NT Spooler Service (spoolss.exe) and the Local Security Authority SubSystem (LSASS).
Both attacks require access to Windows-specific ports (TCP and UDP 135-139) that should be blocked at your Internet firewall. As a result, the chances of anonymous crackers exploiting them from distant locales are slight. However, users on internal networks with access to these ports could cause malfunctions that range from annoying to critical on your NT servers should they dig up canned exploit code or possess the means to write their own.
The NT Spooler Service vulnerability -- known as spooleak -- takes advantage of a well-documented memory leak in the NT print spooler, which processes print jobs sent by clients to print queues on the server. By connecting to the spooler via a named pipe and sending random data, one can induce the memory leak and cause the spooler (spoolss.exe) to set the CPU on the server at 100 percent.
By default, this connection can be initiated over a null-session, meaning even nonauthenticated users can wreak havoc using this hole. To disable the attack over null-session, you will have to remove the line "SPOOLSS" from HKeyLocalMachine \System \CurrContrlSet \Services \LanmanServer \Parameters \NullSession Pipes(REG_MULTI_SZ). However, this still won't stop authenticated users from being able to attack the service.
The code to automate the exploit is not public, and we have no intention of making it so.
Our second SP4 vulnerability is actually a post-SP3 flaw that appears to have risen, Phoenix-like, from the ashes. Those of you familiar with the lsa- fix and lsa2- fix following SP3 will recall that those patches fixed numerous problems with the LSASS, which performs the authentication of log-on credentials passed from the WinLogon process against the Security Account Manager or other authentication packages.
One of those LSASS problems occurred when clients sent a malformed request to the LSA over a named pipe, killing lsass.exe and thus preventing local log-on to that machine.
The problem file was reported as lsaserv.dll, and the patched version referenced in KB article Q182918 resolved this issue. However, SP4 introduced a new version of this Dynamic Link Library that appears freshly vulnerable to this exploit. Of course the old lsa2- fix can't be applied over SP4. We send our thanks to some diligent watchdogs on the NTBugTraq mailing list; they noticed this development in late October.
The common thread underlying both of these problems is the misuse of Remote Procedure Call (RPC) over named pipes as channels of attack against common NT subsystems. Microsoft was unable to confirm at press time whether inherent problems with NT RPC were at the root of these seemingly unrelated bugs.
Respondents to our previous straw poll about who is waiting for Windows 2000 SP1 will have a good chuckle upon hearing that two new security flaws have resurfaced in SP4. Despite our concerns, and to its credit, Microsoft has responded quickly to these two problems, providing fixes within weeks of their appearance.
Are these latest security bugs an indication of a very difficult problem to address, or is Microsoft simply the most visible target for our attention? We just settled a vitriolic debate with the Linux community over our Queso column, so let's see if the NT partisans play nicer. Don't hesitate to send your sentiments our way at email@example.com.
Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.