On Thu, 16 Dec 1999, NAI Labs wrote:
# This new vulnerability affects all Windows NT 4.0 hosts including
# those with Service packs up to and including SP6a.
[...]
# causing the LSA process to reference invalid memory resulting in an
# application error.
I wouldn't really call this a "new" vulnerability at all. BindView's
advisory on a previously discovered remote vulnerability in the LSA
(Phantom), released 6 months ago:
http://www.bindview.com/security/advisory/phantom_a.html
is essentially the same thing -- NAI just uses a different syscall.
I suspect that there are more than just a few vulnerabilities of this
nature still lurking in the LSA, nay, in the NT API. It would be
interesting to see someone write a sort of LSA or Win32 API "fuzz". It
would probably turn up a surprising number of problems, although maybe not
so surprising to some of us..
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16798
# http://www.microsoft.com/downloads/release.asp?ReleaseID=16799
The readership should note that while these above urls reference patches
for the Syskey weak encryption vulnerability, resulting from a recently
released BindView advisory
(http://www.bindview.com/security/advisory/adv_WinNT_syskey.html), the
patch itself already included fixes for this particular DoS. This is
mentioned in the Security Bulletin, I believe.
Jordan Ritter
RAZOR Security
BindView Corporation
