 |
| CNN WEB SITES: |
|
| TIME INC. SITES: |
| MORE SERVICES: |
| video on demand |
| video archive |
| audio on demand |
| news email services |
| free email accounts |
| desktop headlines |
| pointcast |
| pagenet |
| DISCUSSION: |
| message boards |
| chat |
| feedback |
| SITE GUIDES: |
| help |
| contents |
| search |
| FASTER ACCESS: |
| europe |
| japan |
| WEB SERVICES: |
Windows NT leaks
Two denial-of-service attacks work their way past Service Pack 4
|
December 2, 1998 by Stuart McClure and Joel Scambray |
From...
|
(IDG) -- Our two-part coverage of Windows NT Service Pack 4 (SP4) has been expanded this week because we received late confirmation from Microsoft about two security flaws that are not fixed by the application of SP4. Both are old exploits of notoriously buggy components -- the NT Spooler Service (spoolss.exe) and the Local Security Authority SubSystem (LSASS).
|
| ||
|---|---|---|
|
IDG.net home page | |
| InfoWorld home page | ||
| InfoWorld forums home page | ||
| InfoWorld Internet commerce section | ||
| Get Media Grok and The Industry Standard Intelligencer delivered for free | ||
| Reviews & in-depth info at IDG.net | ||
| IDG.net's personal news page | ||
| Subscribe to IDG.net's free daily newsletter for IT leaders | ||
| Questions about computers? Let IDG.net's editors help you | ||
|
Search IDG.net in 12 languages | ||
| News Radio | ||
|
Fusion audio primers | |
|
|
Computerworld Minute | |
Both attacks require access to Windows-specific ports (TCP and UDP 135-139) that should be blocked at your Internet firewall. As a result, the chances of anonymous crackers exploiting them from distant locales are slight. However, users on internal networks with access to these ports could cause malfunctions that range from annoying to critical on your NT servers should they dig up canned exploit code or possess the means to write their own.
The NT Spooler Service vulnerability -- known as spooleak -- takes advantage of a well-documented memory leak in the NT print spooler, which processes print jobs sent by clients to print queues on the server. By connecting to the spooler via a named pipe and sending random data, one can induce the memory leak and cause the spooler (spoolss.exe) to set the CPU on the server at 100 percent.
By default, this connection can be initiated over a null-session, meaning even nonauthenticated users can wreak havoc using this hole. To disable the attack over null-session, you will have to remove the line "SPOOLSS" from HKeyLocalMachine \System \CurrContrlSet \Services \LanmanServer \Parameters \NullSession Pipes(REG_MULTI_SZ). However, this still won't stop authenticated users from being able to attack the service.
The code to automate the exploit is not public, and we have no intention of making it so.
Our second SP4 vulnerability is actually a post-SP3 flaw that appears to have risen, Phoenix-like, from the ashes. Those of you familiar with the lsa- fix and lsa2- fix following SP3 will recall that those patches fixed numerous problems with the LSASS, which performs the authentication of log-on credentials passed from the WinLogon process against the Security Account Manager or other authentication packages.
One of those LSASS problems occurred when clients sent a malformed request to the LSA over a named pipe, killing lsass.exe and thus preventing local log-on to that machine.
The problem file was reported as lsaserv.dll, and the patched version referenced in KB article Q182918 resolved this issue. However, SP4 introduced a new version of this Dynamic Link Library that appears freshly vulnerable to this exploit. Of course the old lsa2- fix can't be applied over SP4. We send our thanks to some diligent watchdogs on the NTBugTraq mailing list; they noticed this development in late October.
HACK REPORTSpooleak SUMMARY: The Windows NT Spooler Service is vulnerable to random data being sent to it via the named pipe SPOOLSS. When this occurs, the Spooler Service claims all available CPU resources.
LSASS access violation SUMMARY: A remote client can connect to the Local Security Authority over a named pipe and pass an incorrect buffer size (fragment length), causing an access violation in the Local Security Authority SubSystem (lsass.exe). After this occurs, users cannot log on locally and the tools that rely on LSA/LSARPC do not function. TARGET: Windows NT 4.0 SP4 TYPE: Denial of Service DATE: Pre-Service Pack 3 CODE: Not publicly available SOURCE: Unknown ATTACKER: Any capable of connecting via the requisite named pipe FIX: Will be posted by Microsoft shortly; see www.microsoft.com /security /bulletins for updates |
The common thread underlying both of these problems is the misuse of Remote Procedure Call (RPC) over named pipes as channels of attack against common NT subsystems. Microsoft was unable to confirm at press time whether inherent problems with NT RPC were at the root of these seemingly unrelated bugs.
Respondents to our previous straw poll about who is waiting for Windows 2000 SP1 will have a good chuckle upon hearing that two new security flaws have resurfaced in SP4. Despite our concerns, and to its credit, Microsoft has responded quickly to these two problems, providing fixes within weeks of their appearance.
Are these latest security bugs an indication of a very difficult problem to address, or is Microsoft simply the most visible target for our attention? We just settled a vitriolic debate with the Linux community over our Queso column, so let's see if the NT partisans play nicer. Don't hesitate to send your sentiments our way at security_watch@infoworld.com.
Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.