advertising information

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

Windows NT leaks

Two denial-of-service attacks work their way past Service Pack 4

December 2, 1998
Web posted at: 2:30 PM EST

by Stuart McClure and Joel Scambray

From...

(IDG) -- Our two-part coverage of Windows NT Service Pack 4 (SP4) has been expanded this week because we received late confirmation from Microsoft about two security flaws that are not fixed by the application of SP4. Both are old exploits of notoriously buggy components -- the NT Spooler Service (spoolss.exe) and the Local Security Authority SubSystem (LSASS).

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute
   

Both attacks require access to Windows-specific ports (TCP and UDP 135-139) that should be blocked at your Internet firewall. As a result, the chances of anonymous crackers exploiting them from distant locales are slight. However, users on internal networks with access to these ports could cause malfunctions that range from annoying to critical on your NT servers should they dig up canned exploit code or possess the means to write their own.

The NT Spooler Service vulnerability -- known as spooleak -- takes advantage of a well-documented memory leak in the NT print spooler, which processes print jobs sent by clients to print queues on the server. By connecting to the spooler via a named pipe and sending random data, one can induce the memory leak and cause the spooler (spoolss.exe) to set the CPU on the server at 100 percent.

By default, this connection can be initiated over a null-session, meaning even nonauthenticated users can wreak havoc using this hole. To disable the attack over null-session, you will have to remove the line "SPOOLSS" from HKeyLocalMachine \System \CurrContrlSet \Services \LanmanServer \Parameters \NullSession Pipes(REG_MULTI_SZ). However, this still won't stop authenticated users from being able to attack the service.

The code to automate the exploit is not public, and we have no intention of making it so.

Our second SP4 vulnerability is actually a post-SP3 flaw that appears to have risen, Phoenix-like, from the ashes. Those of you familiar with the lsa- fix and lsa2- fix following SP3 will recall that those patches fixed numerous problems with the LSASS, which performs the authentication of log-on credentials passed from the WinLogon process against the Security Account Manager or other authentication packages.

One of those LSASS problems occurred when clients sent a malformed request to the LSA over a named pipe, killing lsass.exe and thus preventing local log-on to that machine.

The problem file was reported as lsaserv.dll, and the patched version referenced in KB article Q182918 resolved this issue. However, SP4 introduced a new version of this Dynamic Link Library that appears freshly vulnerable to this exploit. Of course the old lsa2- fix can't be applied over SP4. We send our thanks to some diligent watchdogs on the NTBugTraq mailing list; they noticed this development in late October.

HACK REPORT


Spooleak

SUMMARY: The Windows NT Spooler Service is vulnerable to random data being sent to it via the named pipe SPOOLSS. When this occurs, the Spooler Service claims all available CPU resources.


LSASS access violation

SUMMARY: A remote client can connect to the Local Security Authority over a named pipe and pass an incorrect buffer size (fragment length), causing an access violation in the Local Security Authority SubSystem (lsass.exe). After this occurs, users cannot log on locally and the tools that rely on LSA/LSARPC do not function.

TARGET: Windows NT 4.0 SP4

TYPE: Denial of Service

DATE: Pre-Service Pack 3

CODE: Not publicly available

SOURCE: Unknown

ATTACKER: Any capable of connecting via the requisite named pipe

FIX: Will be posted by Microsoft shortly; see www.microsoft.com /security /bulletins for updates

The common thread underlying both of these problems is the misuse of Remote Procedure Call (RPC) over named pipes as channels of attack against common NT subsystems. Microsoft was unable to confirm at press time whether inherent problems with NT RPC were at the root of these seemingly unrelated bugs.

Respondents to our previous straw poll about who is waiting for Windows 2000 SP1 will have a good chuckle upon hearing that two new security flaws have resurfaced in SP4. Despite our concerns, and to its credit, Microsoft has responded quickly to these two problems, providing fixes within weeks of their appearance.

Are these latest security bugs an indication of a very difficult problem to address, or is Microsoft simply the most visible target for our attention? We just settled a vitriolic debate with the Linux community over our Queso column, so let's see if the NT partisans play nicer. Don't hesitate to send your sentiments our way at security_watch@infoworld.com.

Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.


Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

  
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.