advertising information
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Windows NT leaks

Two denial-of-service attacks work their way past Service Pack 4

December 2, 1998
Web posted at: 2:30 PM EST

by Stuart McClure and Joel Scambray


(IDG) -- Our two-part coverage of Windows NT Service Pack 4 (SP4) has been expanded this week because we received late confirmation from Microsoft about two security flaws that are not fixed by the application of SP4. Both are old exploits of notoriously buggy components -- the NT Spooler Service (spoolss.exe) and the Local Security Authority SubSystem (LSASS).

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Subscribe to's free daily newsletter for IT leaders
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute

Both attacks require access to Windows-specific ports (TCP and UDP 135-139) that should be blocked at your Internet firewall. As a result, the chances of anonymous crackers exploiting them from distant locales are slight. However, users on internal networks with access to these ports could cause malfunctions that range from annoying to critical on your NT servers should they dig up canned exploit code or possess the means to write their own.

The NT Spooler Service vulnerability -- known as spooleak -- takes advantage of a well-documented memory leak in the NT print spooler, which processes print jobs sent by clients to print queues on the server. By connecting to the spooler via a named pipe and sending random data, one can induce the memory leak and cause the spooler (spoolss.exe) to set the CPU on the server at 100 percent.

By default, this connection can be initiated over a null-session, meaning even nonauthenticated users can wreak havoc using this hole. To disable the attack over null-session, you will have to remove the line "SPOOLSS" from HKeyLocalMachine \System \CurrContrlSet \Services \LanmanServer \Parameters \NullSession Pipes(REG_MULTI_SZ). However, this still won't stop authenticated users from being able to attack the service.

The code to automate the exploit is not public, and we have no intention of making it so.

Our second SP4 vulnerability is actually a post-SP3 flaw that appears to have risen, Phoenix-like, from the ashes. Those of you familiar with the lsa- fix and lsa2- fix following SP3 will recall that those patches fixed numerous problems with the LSASS, which performs the authentication of log-on credentials passed from the WinLogon process against the Security Account Manager or other authentication packages.

One of those LSASS problems occurred when clients sent a malformed request to the LSA over a named pipe, killing lsass.exe and thus preventing local log-on to that machine.

The problem file was reported as lsaserv.dll, and the patched version referenced in KB article Q182918 resolved this issue. However, SP4 introduced a new version of this Dynamic Link Library that appears freshly vulnerable to this exploit. Of course the old lsa2- fix can't be applied over SP4. We send our thanks to some diligent watchdogs on the NTBugTraq mailing list; they noticed this development in late October.



SUMMARY: The Windows NT Spooler Service is vulnerable to random data being sent to it via the named pipe SPOOLSS. When this occurs, the Spooler Service claims all available CPU resources.

LSASS access violation

SUMMARY: A remote client can connect to the Local Security Authority over a named pipe and pass an incorrect buffer size (fragment length), causing an access violation in the Local Security Authority SubSystem (lsass.exe). After this occurs, users cannot log on locally and the tools that rely on LSA/LSARPC do not function.

TARGET: Windows NT 4.0 SP4

TYPE: Denial of Service

DATE: Pre-Service Pack 3

CODE: Not publicly available

SOURCE: Unknown

ATTACKER: Any capable of connecting via the requisite named pipe

FIX: Will be posted by Microsoft shortly; see /security /bulletins for updates

The common thread underlying both of these problems is the misuse of Remote Procedure Call (RPC) over named pipes as channels of attack against common NT subsystems. Microsoft was unable to confirm at press time whether inherent problems with NT RPC were at the root of these seemingly unrelated bugs.

Respondents to our previous straw poll about who is waiting for Windows 2000 SP1 will have a good chuckle upon hearing that two new security flaws have resurfaced in SP4. Despite our concerns, and to its credit, Microsoft has responded quickly to these two problems, providing fixes within weeks of their appearance.

Are these latest security bugs an indication of a very difficult problem to address, or is Microsoft simply the most visible target for our attention? We just settled a vitriolic debate with the Linux community over our Queso column, so let's see if the NT partisans play nicer. Don't hesitate to send your sentiments our way at

Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.

Related stories:
Latest Headlines

Today on CNN

Related stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

Enter keyword(s)   go    help


Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.