[NT] DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding (MS04-011)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[EXPL] WinZip MIME Parsing Buffer Overflow Exploit" 
    To: list@securiteam.com
Date: 18 Apr 2004 12:15:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding (MS04-011)
    ------------------------------------------------------------------------

    SUMMARY

    Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol is
    used to negotiate which security mechanism should be adopted. Windows
    system allows various authentication mechanisms, it also uses SPNEGO
    protocol to implement the authentication mechanism negotiation between the
    clients and servers.

    There is a security vulnerability when Windows system handles SPNEGO
    protocol codes, which allows attackers to launch DoS attacks.

    When a carefully crafted SPNEGO NegTokenInit request is sent, a null
    pointer reference error might occur in LSASRV.DLL, resulting in LSASS.EXE
    crash. This will make all the operations related to system authentication
    (such as remote access to SMB share, or interactive local login)
    unavailable. For Windows 2003, it will result in automatic shutting off or
    bluescreen.

    Attackers can launch attacks through any service that uses SPNEGO, such as
    TCP port 139, 445. By default IIS also negotiates which authentication
    protocol (for example, NTLM, Kerberos, etc)should be adopted by SPNEGO,
    therefore it's possible for attackers to launch attacks through IIS.

    From vendor's response the same type of malformed request could still have
    triggered a buffer overflow issue in the subsequent code, if they were to
    have only fixed the DoS issue. Vendor's patch fixes both the DoS and
    buffer overflow issues.

    DETAILS

    Impact:
    NSFOCUS Security Team has found there is a remote DoS vulnerability in the
    SPNEGO protocol decoding function of Microsoft Windows system. Exploiting
    the vulnerability remote attackers could cause Windows system to crash or
    malfunction.

    Workaround:
    * Restrict access to the following ports from untrusted IPs at the
    firewall:

    445/UDP
    139/TCP
    445/TCP

    * For the system that is providing WEB service through IIS, either of the
    following methods can be used to mitigate the threat:

    1. Disable "Integrated windows authentication" in IIS service

    2. Disable authentication negotiation. Only allow authentication through
    NTLM by the following command:

    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

    adsutil.vbs can be found in the adminscripts directory of IIS.

    More detail is available at:
     <http://support.microsoft.com/?id=215383>
    http://support.microsoft.com/?id=215383

    Vendor Status:
    2004.02.19 Informed the vendor
    2004.02.19 Vendor confirmed the vulnerability
    2004.04.13 Microsoft released a security bulletin (MS04-011) and relative
    patches for the vulnerability.

    Detailed information for the Microsoft security bulletin is available at:
     <http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx`

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@nsfocus.com> Chen
    Qing of NSFOCUS Security Team.

    The original article can be found at:
    <http://www.nsfocus.com/english/homepage/research/0401.htm>
    http://www.nsfocus.com/english/homepage/research/0401.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] WinZip MIME Parsing Buffer Overflow Exploit"

    Relevant Pages

    • Solaris Security Summary
      ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
      (comp.unix.solaris)
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
      (alt.os.linux)
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... The ssh account is only used for remote login. ... secret to get to your SSH port is as easy as sniffing. ...
      (alt.os.linux)
    • Re: Spoofing an IP over the internet
      ... The secure authentication script will support many levels of security, ... in case a hacker cost me very much bandwith what is my ...
      (Security-Basics)
    • Re: passwords
      ... different security domain ... by a public key (that has been registered in lieu of a shared-secret ... both originate as well as validate an authentication ... ... public key can't be used to originate an authentication ... ...
      (alt.computer.security)