发信人: williamlong()
整理人: williamlong(2002-12-01 16:43:47), 站内信件
|
======================================================================
Network Associates, Inc. SECURITY ADVISORY December 16, 1999
Windows NT LSA Remote Denial of Service
======================================================================
SYNOPSIS
An implementation flaw in the Local Security Authority subsystem of Windows NT, known as the LSA, allows both local or remote attackers to halt the processing of security information requiring the host to be restarted.
======================================================================
VULNERABLE HOSTS
This new vulnerability affects all Windows NT 4.0 hosts including those with Service packs up to and including SP6a.
======================================================================
DETAILS
The Local Security Authority is the center of the Windows NT security subsystem. The LSA is a user-mode process (LSASS.EXE) used to maintain security information of a system known as the Local Security Policy. The Local Security Policy is stored in the registry and includes such information as who has permission to access the system, who is assigned privileges and what security auditing is performed.
The majority of the security subsystem components run within the context of the LSASS process, including the Security Accounts Manager (SAM) that is responsible for maintaining the SAM database stored in the registry. Also the default authentication package (MSV1_0.DLL) that determines whether username and password match information stored in the SAM database.
In addition other user-mode processes request services from the LSA such as the login process (WINLOGON.EXE) to authenticate username and passwords that are entered when interactive users logon and logoff. Also, the network logon service (SERVICES.EXE) which responds to network logon requests also utilizes the LSA to verify authentication.
Disrupting the Local Security Authority halts almost all user-mode security authentication requiring a Windows NT host to be restarted.
======================================================================
TECHNICAL DETAILS
Windows NT provides the ability to open and manipulate the LSA through an series of APIs. To programmatically manage the Local Security Policy of a local or remote system a session is established with that system's Local Security Authority. If a session is successfully established an LSA Policy handle will be returned for usage in all subsequent API calls.
One specific API LsaLookupSids() utilizes the LSA to map one or more SIDs of user accounts, group accounts, alias accounts or domains to names. Invalid arguments passed to this API are incorrectly verified causing the LSA process to reference invalid memory resulting in an application error.
======================================================================
RESOLUTION
Microsoft has issued a patch for this vulnerability, which can be obtained at the following address:
x86:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16799
Microsoft's Security Bulletin for this vulnerability can be found at:
http://www.microsoft.com/security/bulletins/ms99-057.asp
Additional information can be found in Microsoft Knowledge Base article Q248185, SID Enumeration Function in LSA May Not Handle Argument Properly:
http://support.microsoft.com/support/kb/articles/q248/1/85.asp
======================================================================
CREDITS
Discovery and documentation of this vulnerability was conducted by Anthony Osborne of the Security Labs at Network Associates.
======================================================================
ABOUT THE NETWORK ASSOCIATES SECURITY LABS
The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community.
For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at <[email protected]>.
======================================================================
-- ☆ 蓝色月光 ☆ http://williamlong.163.net
※ 来源:.网易 BBS bbs.netease.com.[FROM: bbs.huizhou.gd.cn]
|
|