[NT] Microsoft Active Directory Denial-of-Service (MS08-035)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Active Directory Denial-of-Service (MS08-035)
------------------------------------------------------------------------


SUMMARY

SECURIFY has discovered a denial-of-service vulnerability in Microsoft
Active Directory (AD) in which a domain user sending a specially-crafted
LDAP request causes the Active Directory server to initiate a controlled
restart. Specific products and versions affected and the hotfixes for
them are detailed in Microsoft Security Bulletin MS08-035 (953235).

DETAILS

After receiving the LDAP request, the AD server returns a partial list of
the requested data to the client. After an additional minute or so, the
Windows initiates a controlled restart with a 60-second countdown timer.
The shutdown dialog box displays status code -1073741819.

After restarting, errors similar to the following are found in the
application event log:
Type: Error
Source: Application Error
Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version <version>,
faulting module authz.dll, version <version>, fault address 0x00001d8f

Type: Error
Source: Winlogon
Category: None
Event ID: 1015
Description: A critical system process, C:\Windows\system32\lsass.exe,
failed with status code c0000005. The machine must now be restarted.

Type: Information
Source: Application Error
Category: (100)
Event ID: 1004
Description: Reporting queued error:
Faulting application lsass.exe, version <version>, faulting module
authz.dll, version <version>, fault address 0x00001d8f

Errors similar to the following are recorded in the Directory Service
event log:

Type: Error
Source: NTDS General
Category: Internal Processing
Event ID: 1168
Description: Internal error: An Active Directory error has occurred.
Additional Data:
Error value (decimal): 8411
Error value (hex): 20db
Internal ID: 3151e4a

Type: Warning
Source: NTDS General
Category: Internal Processing
Event ID: 1173
Description: Internal event: Active Directory has encountered the
following
exception and associated parameters:
Exception: c0000005
Parameter: 0
Additional Data:
Error value: 76c41d8f
Internal ID: 0

Workarounds:
Block TCP ports 389, 636 and 3268 to your Active Directory server from
untrusted sources.

Disclosure timeline:
2007-12-08 Initial contact and response from Microsoft PSS
2007-12-27 Initial contact attempt to Microsoft Security Response Center
2008-01-08 Second contact attempt to Microsoft Security Response Center
2008-02-11 Initial response from Microsoft Security Response Center
2008-06-10 Hotfix made publicly available by Microsoft

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1445>
CVE-2008-1445


ADDITIONAL INFORMATION

The information has been provided by <mailto:bulletins@xxxxxxxxxxxx>
Securify Bulletins.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Microsoft Security Bulletin MS03-038 - 827104
    ... I got the security center email and went to the site to ... >The Microsoft Security Response Center has released ... >Bulletin MS03-038 which concerns a vulnerability in the ... >If you have any questions regarding the patch or its ...
    (microsoft.public.security)
  • RE: TXT or HTML? -- IE NEW BUG
    ... Some corporate security policies (such as firewall rules, content filters, ... On Sun, 29 Jul 2001, Microsoft Security Response Center wrote: ... > hosted on a web site, it could be opened automatically by a page on the ... However, the script would run in the web page's domain, so it ...
    (Bugtraq)
  • Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Rem
    ... > X-posted to OE General, OE6, Security & Security.Homeusers NGs. ... >>> Welcome to the Microsoft Security Response Center Blog! ... >>> New Security Advisory for Possible Windows Vulnerability ... Turn off the preview pane in OE (always ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Reporte de BUGs.
    ... Assuming it is security related, ... secure@xxxxxxxxxxxxxx According to Microsoft Security Response Center, ... Type of issue (cross-site scripting, buffer overflow, SQL ... including how an attacker could exploit the ...
    (microsoft.public.security)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)