mailing list archives
Re: Windows NT LSA Remote Denial of Service
From: jpr5 () BOS BINDVIEW COM (Jordan Ritter)
Date: Thu, 16 Dec 1999 20:28:06 -0500
On Thu, 16 Dec 1999, NAI Labs wrote:
# This new vulnerability affects all Windows NT 4.0 hosts including
# those with Service packs up to and including SP6a.
# causing the LSA process to reference invalid memory resulting in an
# application error.
I wouldn't really call this a "new" vulnerability at all. BindView's
advisory on a previously discovered remote vulnerability in the LSA
(Phantom), released 6 months ago:
is essentially the same thing -- NAI just uses a different syscall.
I suspect that there are more than just a few vulnerabilities of this
nature still lurking in the LSA, nay, in the NT API. It would be
interesting to see someone write a sort of LSA or Win32 API "fuzz". It
would probably turn up a surprising number of problems, although maybe not
so surprising to some of us..
The readership should note that while these above urls reference patches
for the Syskey weak encryption vulnerability, resulting from a recently
released BindView advisory
patch itself already included fixes for this particular DoS. This is
mentioned in the Security Bulletin, I believe.